Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

NAIL.EXE / AURORA [RESOLVED]

Started by RJWoznick , Sep 06 2005 06:01 PM

  • This topic is locked This topic is locked

#1
RJWoznick
Posted 06 September 2005 - 06:01 PM

RJWoznick

    New Member

  • Member
  • Pip
  • 6 posts
I have tried everything suggested on all blogs/discussion groups.

I have followed the instructions and run all spyware/ad-ware removal tools prior to opening this post.

Below are the results from the Ewido log and the Hijack This! Please post any help that you can provide - it would be greatly appreciated.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:50:30 PM, 9/6/2005
+ Report-Checksum: 74B99879

+ Scan result:

[1620] C:\WINNT\system32\fgkffz.exe -> Trojan.Agent.cp : Cleaned with backup
C:\PROFBACKUP\rwoznick\Cookies\rwoznick@specificpop[1].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\PROFBACKUP\rwoznick\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\WINNT\efgbptjroz.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\etb\pokapoka65.exe -> Spyware.EliteBar : Cleaned with backup
C:\WINNT\svcproc.exe -> Trojan.Stervis.f : Cleaned with backup
C:\WINNT\SYSTEM32\fgkffz.exe -> Trojan.Agent.ay : Cleaned with backup


::Report End


Hijack This! Log file:
=============
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\basfipm.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\ldwuzd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.dell.com/search/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\nail.exe
O1 - Hosts: 172.17.1.8 www.demo.klik.com
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [vwakod] C:\WINNT\system32\ldwuzd.exe r
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {66157B4F-9E4A-488C-92A4-4434A16FCBF2} (Pegasus PrintPRO Control v3.0) - https://www.klik.com...s/PrintPRO3.cab
O16 - DPF: {6D3CF4F3-C2F3-46E7-A126-3E53102A6B91} (Pegasus ImagXpress Control v7.0) - https://lockbox.wach...ImagXpress7.cab
O16 - DPF: {9E182681-323C-11D4-8225-0050DA2154E1} (KlikReport Control) - http://www.klik.com/...ReportProj1.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.c...yer5.2AxWin.cab
O16 - DPF: {BD1A7D5D-F3FB-4238-A072-6948D1150CD2} (Pegasus NotateXpress Control v7.0) - http://www.pegasusim...mos/IX7Demo.cab
O16 - DPF: {D8F92710-E222-4D2A-BCF7-B24D1AA6FC27} (KlikUrlImgCtl Control) - http://www.klik.com/...kUrlImgTool.cab
O16 - DPF: {EC00C3EF-C4D4-4D67-BB2C-60875EF22E25} (KlikReportControl Control) - https://lockbox.wach.../KlikReport.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 5.0 (SP2)) - http://activex.micro...b5/comdlg32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.klik.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.klik.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.klik.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe
O23 - Service: CWShredder Service - InterMute, Inc. - D:\WOZNICK PROBLEM\CWShredder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE
  • 0

Advertisements

#2
loophole
Posted 07 September 2005 - 11:31 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello :tazz:

Sorry for the delayed response, it has been very busy lately.

If you still require help please post a new Hijack log in this
thread and I will help you. If your problem has been fixed please
respond and let us know.

Thanks
  • 0

#3
RJWoznick
Posted 08 September 2005 - 03:39 PM

RJWoznick

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks for responding and thanks in advance for helping me out of this situation Loophole. The Aurora pop-ups continue so the problem persists.

Here are the newest logs:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:26:40 PM, 9/8/2005
+ Report-Checksum: BF0D3853

+ Scan result:

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup
[472] C:\WINNT\system32\DrPMon.dll -> Adware.BetterInternet : Cleaned with backup
[1720] VM_01140000 -> Adware.BetterInternet : Error during cleaning
[1520] C:\WINNT\system32\rpprjji.exe -> Trojan.Agent.cp : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\rwoznick.KTI\Cookies\rwoznick@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\rwoznick.KTI\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\rwoznick.KTI\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINNT\efgbptjroz.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\nail.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\svcproc.exe -> Trojan.Stervis.f : Cleaned with backup
C:\WINNT\SYSTEM32\DrPMon.dll -> Trojan.Agent.db : Cleaned with backup
C:\WINNT\SYSTEM32\rpprjji.exe -> Trojan.Agent.ay : Cleaned with backup


::Report End



HIJACK THIS LOG
============

Logfile of HijackThis v1.99.1
Scan saved at 5:40:17 PM, on 9/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\basfipm.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\rsnmtb.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.971searchbox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.971searchbox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.971searchbox.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klik.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.971searchbox.com/sp2.php
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\nail.exe
O1 - Hosts: 172.17.1.8 www.demo.klik.com
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [romjrr] C:\WINNT\system32\rsnmtb.exe r
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {66157B4F-9E4A-488C-92A4-4434A16FCBF2} (Pegasus PrintPRO Control v3.0) - https://www.klik.com...s/PrintPRO3.cab
O16 - DPF: {6D3CF4F3-C2F3-46E7-A126-3E53102A6B91} (Pegasus ImagXpress Control v7.0) - https://lockbox.wach...ImagXpress7.cab
O16 - DPF: {9E182681-323C-11D4-8225-0050DA2154E1} (KlikReport Control) - http://www.klik.com/...ReportProj1.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.c...yer5.2AxWin.cab
O16 - DPF: {BD1A7D5D-F3FB-4238-A072-6948D1150CD2} (Pegasus NotateXpress Control v7.0) - http://www.pegasusim...mos/IX7Demo.cab
O16 - DPF: {D8F92710-E222-4D2A-BCF7-B24D1AA6FC27} (KlikUrlImgCtl Control) - http://www.klik.com/...kUrlImgTool.cab
O16 - DPF: {EC00C3EF-C4D4-4D67-BB2C-60875EF22E25} (KlikReportControl Control) - https://lockbox.wach.../KlikReport.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 5.0 (SP2)) - http://activex.micro...b5/comdlg32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.klik.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.klik.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.klik.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe
O23 - Service: CWShredder Service - Unknown owner - D:\WOZNICK PROBLEM\CWShredder.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE
  • 0

#4
loophole
Posted 08 September 2005 - 05:39 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello RJWoznick and welcome to Geeks to Go:tazz:

I see you have been infected by malware. Lets get you fixed up.
Please follow the directions as closely as you can . Lets begin

Please update Ewido

Download and install CleanUp! Here
but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

1.Download the latest version of Ad-Aware (Ad-Aware SE Build 1.06r1) from here.

Install Ad-Aware using the default options


2. Download the VX2 Cleaner Plug-in Here

Then install vx2cleaner, using all the defaults there as well.

3. Run Ad-Aware
*Update to the latest definitions
*Then click on Add-ons in the lefthand column.
*Select VX2 Cleaner V2.0 and click Run Tool. Click "OK".
*If something is found, click "Clean" as in the directions given.
*Click "Close", and EXIT Ad-Aware.
4. Reboot your PC and run Ad-Aware again.
*This time, click on the Start button in Ad-Aware
*Select "Perform smart system scan" and click Next.
*Once the scan finishes, click "Next" again.
*Select all objects found ("right click anywhere in the list of found objects and *click "Select All Objects").
*Click "Next" one more time, then "OK" to confirm the removal.
*You will be prompted to set Ad-Aware to run on reboot, click "OK".
*Exit Ad-Aware
REBOOT your PC into safemode
Please reboot into safe mode Safe mode(continually tap the F8 key while your system is starting, select Safe Mode from the menu).

When Ad-Aware starts up, click on "Start", then "Next".
Follow the steps above if anything is found, or click "Finish", then EXIT Ad-Aware.

Now run cleanup

Open Ewido
:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.971searchbox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.971searchbox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.971searchbox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.971searchbox.com/sp2.php
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\nail.exe
O4 - HKLM\..\Run: [romjrr] C:\WINNT\system32\rsnmtb.exe r

Now close all windows other than HiJackThis, then click Fix Checked

Reboot and post the Ewido log and a New Hijack log to review .

Thanks :)
  • 0

#5
RJWoznick
Posted 08 September 2005 - 10:17 PM

RJWoznick

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Loophole, thanks again for the great instructions. They were very easy to follow. I was not sure if I was supposed to do the "CLEANUP", "EWIDO", and HIjackThis steps in safe mode but I did.

Again, thank you for your help with my Malware problem.


Please read my update:

1. In step 4, after clicking on NEXT and OK to confirm remove I was not prompted for by Ad aware to run on re-boot.

2. I closed out of Ad-aware and did re-boot in safemode. Ad-Aware did not start up, so I manually started it and ran a scan. Results were clean.

3. I then ran "Cleanup", "Ewido", and "HijackThis" all in safe mode with no reboot.

4. When I ran "Hijackthis" in safemode none of the 7 entries you wanted me to remove were listed. I then rebooted into normal mode.

5. When I ran the Hijackthis scan as you can see below, the first 5 items in your list to check and fix were back, however, the nail.exe entry and that rsnmtb.exe
Also, looks like no Aurora pop-ups.


Here are the new logs:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:52:31 PM, 9/8/2005
+ Report-Checksum: 7F74FBF2

+ Scan result:

No infected objects found.


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 12:07:36 AM, on 9/9/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\basfipm.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.971searchbox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.971searchbox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.971searchbox.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klik.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.971searchbox.com/sp2.php
R3 - Default URLSearchHook is missing
O1 - Hosts: 172.17.1.8 www.demo.klik.com
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {66157B4F-9E4A-488C-92A4-4434A16FCBF2} (Pegasus PrintPRO Control v3.0) - https://www.klik.com...s/PrintPRO3.cab
O16 - DPF: {6D3CF4F3-C2F3-46E7-A126-3E53102A6B91} (Pegasus ImagXpress Control v7.0) - https://lockbox.wach...ImagXpress7.cab
O16 - DPF: {9E182681-323C-11D4-8225-0050DA2154E1} (KlikReport Control) - http://www.klik.com/...ReportProj1.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.c...yer5.2AxWin.cab
O16 - DPF: {BD1A7D5D-F3FB-4238-A072-6948D1150CD2} (Pegasus NotateXpress Control v7.0) - http://www.pegasusim...mos/IX7Demo.cab
O16 - DPF: {D8F92710-E222-4D2A-BCF7-B24D1AA6FC27} (KlikUrlImgCtl Control) - http://www.klik.com/...kUrlImgTool.cab
O16 - DPF: {EC00C3EF-C4D4-4D67-BB2C-60875EF22E25} (KlikReportControl Control) - https://lockbox.wach.../KlikReport.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 5.0 (SP2)) - http://activex.micro...b5/comdlg32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.klik.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.klik.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.klik.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe
O23 - Service: CWShredder Service - Unknown owner - D:\WOZNICK PROBLEM\CWShredder.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE
  • 0

#6
loophole
Posted 08 September 2005 - 10:29 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
I am not familiar with this , do you want this as your search tool 971searchbox.com/

Next: Aurora is gone and everything you did was correct :tazz:

Next; Your log looks clean , any problems?

Please advise
  • 0

#7
RJWoznick
Posted 08 September 2005 - 10:49 PM

RJWoznick

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Loophole, thanks for the quick turn around times. How would I get rid of that search tool? I'm not sure what that is myself.
  • 0

#8
loophole
Posted 08 September 2005 - 11:08 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Well lets go the safer route

Please run this online virus scan:
Panda Active Scan You need to use Internet Explorer for this scan.
  • Once you get to the Panda site, scroll down a bit and click on Scan your PC
  • A new window will appear; click on Check Now!
  • A new window will appear; fill in the boxes (Country, State, email addy)
  • Click on Scan Now! >
    If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.
  • From "Select a device to scan...", choose "My Computer"
  • Allow the scan to run. It'll take a while.
  • When complete, click on "See Report", and then on "Save report"; save it to a convenient location.
  • I will need you to post that report in your next reply; simply open the text file, then copy/paste the content here. Also post a new Hijack log

Thanks :tazz:
  • 0

#9
RJWoznick
Posted 09 September 2005 - 12:20 AM

RJWoznick

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Loophole, Do you ever sleep? Thanks for the latest instructions and here are the logs from the Panda Scan and the latest HiJackThis.

I need some rest before I go back to work. I will check back later today and again thanks for all your time and help with this.


Panda Scan:


Incident Status Location

Adware:adware/elitebar No disinfected C:\WINNT\etb
Adware:adware/afaenhance No disinfected Windows Registry



Hijack this Log:



Logfile of HijackThis v1.99.1
Scan saved at 2:23:18 AM, on 9/9/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\basfipm.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.971searchbox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.971searchbox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.971searchbox.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klik.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.971searchbox.com/sp2.php
R3 - Default URLSearchHook is missing
O1 - Hosts: 172.17.1.8 www.demo.klik.com
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {66157B4F-9E4A-488C-92A4-4434A16FCBF2} (Pegasus PrintPRO Control v3.0) - https://www.klik.com...s/PrintPRO3.cab
O16 - DPF: {6D3CF4F3-C2F3-46E7-A126-3E53102A6B91} (Pegasus ImagXpress Control v7.0) - https://lockbox.wach...ImagXpress7.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9E182681-323C-11D4-8225-0050DA2154E1} (KlikReport Control) - http://www.klik.com/...ReportProj1.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.c...yer5.2AxWin.cab
O16 - DPF: {BD1A7D5D-F3FB-4238-A072-6948D1150CD2} (Pegasus NotateXpress Control v7.0) - http://www.pegasusim...mos/IX7Demo.cab
O16 - DPF: {D8F92710-E222-4D2A-BCF7-B24D1AA6FC27} (KlikUrlImgCtl Control) - http://www.klik.com/...kUrlImgTool.cab
O16 - DPF: {EC00C3EF-C4D4-4D67-BB2C-60875EF22E25} (KlikReportControl Control) - https://lockbox.wach.../KlikReport.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 5.0 (SP2)) - http://activex.micro...b5/comdlg32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.klik.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.klik.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.klik.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe
O23 - Service: CWShredder Service - Unknown owner - D:\WOZNICK PROBLEM\CWShredder.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE
  • 0

#10
loophole
Posted 09 September 2005 - 02:03 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Did you say sleep :tazz:

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.971searchbox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.971searchbox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.971searchbox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.971searchbox.com/sp2.php
R3 - Default URLSearchHook is missing

Now close all windows other than HiJackThis, then click Fix Checked

Open HiJackThis. It should open to a "New users quickstart" menu
Click "Open the Misc Tools section"
Click "Delete a file on reboot..."
In the "Enter file to delete on reboot..." window, navigate to:

C:\WINNT\

And select the file

C:\etb

Then click Open. After you click Open, HiJackThis will ask you if you want to restart your computer now. You do, so click Yes.

Post a new hijack log and tell me how your system is running now.

Thanks :)
  • 0

#11
RJWoznick
Posted 09 September 2005 - 05:18 PM

RJWoznick

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Loophole,

Thank you very much. Your time and effort solving this issue for me is greatly appreciated.

I have finished the latest rounds of fixes that you have relayed to me and all looks good. My computer is functioning quite nicely.

I have attached what I hope is the last HIjackthis log and again thank you.


Logfile of HijackThis v1.99.1
Scan saved at 7:22:16 PM, on 9/9/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\basfipm.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klik.com/
O1 - Hosts: 172.17.1.8 www.demo.klik.com
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {66157B4F-9E4A-488C-92A4-4434A16FCBF2} (Pegasus PrintPRO Control v3.0) - https://www.klik.com...s/PrintPRO3.cab
O16 - DPF: {6D3CF4F3-C2F3-46E7-A126-3E53102A6B91} (Pegasus ImagXpress Control v7.0) - https://lockbox.wach...ImagXpress7.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9E182681-323C-11D4-8225-0050DA2154E1} (KlikReport Control) - http://www.klik.com/...ReportProj1.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.c...yer5.2AxWin.cab
O16 - DPF: {BD1A7D5D-F3FB-4238-A072-6948D1150CD2} (Pegasus NotateXpress Control v7.0) - http://www.pegasusim...mos/IX7Demo.cab
O16 - DPF: {D8F92710-E222-4D2A-BCF7-B24D1AA6FC27} (KlikUrlImgCtl Control) - http://www.klik.com/...kUrlImgTool.cab
O16 - DPF: {EC00C3EF-C4D4-4D67-BB2C-60875EF22E25} (KlikReportControl Control) - https://lockbox.wach.../KlikReport.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 5.0 (SP2)) - http://activex.micro...b5/comdlg32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.klik.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.klik.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.klik.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe
O23 - Service: CWShredder Service - Unknown owner - D:\WOZNICK PROBLEM\CWShredder.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE
  • 0

#12
loophole
Posted 09 September 2005 - 05:39 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Looks good :tazz: Happy to help :)

your system is clean

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and Spyware Aid's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0

#13
loophole
Posted 10 September 2005 - 12:30 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP