 |
Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
|
| View previous topic :: View next topic |
| Author |
Message |
pabloatlansingdotcom
Newbie
Joined: 24 Apr 2005
Last Visit: 01 May 2005
Posts: 4
|
 Posted: Sun Apr 24, 2005 8:01 pm Post subject: need help with aurora nail.exe pop up removal |
 |
|
I need help getting rid of aurora popups I have run ad aware and spybot and ewido and norton. Here is my hijack log.
Thanks for any help you can give me.
Logfile of HijackThis v1.99.1
Scan saved at 11:53:39 PM, on 4/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\GWHotKey.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\TechSmith\SnagIt 6\SnagIt32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\aaa\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://connect2agent.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll (file missing)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} - C:\WINDOWS\frennk.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [fgmffq] c:\windows\system32\meocay.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\AFLASH~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\AFLASH~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwhb.ops.placeware.com/etc/place/HOTEL/SCHpws-b2/5.1.7.413/lib/quicksilver.cab
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://12.20.72.79/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097767678814
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Profile.local
O17 - HKLM\Software\..\Telephony: DomainName = Profile.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CBF2FBF-6B70-4FC8-BBFA-0DFC46C8B804}: NameServer = 66.73.20.40,206.141.193.55
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Profile.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = Profile.local
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing) |
|
| Back to top |
|
 |
blender
Site Admin
Joined: 19 Jan 2004
Last Visit: 16 Jan 2010
Posts: 13104
Location: Ontario
|
| Posted: Tue Apr 26, 2005 2:23 am Post subject: |
|
|
Hi and welcome
You have most of the right tools to kill this nasty off but just a little tweaking how it is done. 
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Please do NOT run a scan yet.
^^You have already downloaded/installed it, just check for updates.
Please run Notepad and copy the following text into a new file:
| Code: |
@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit |
Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files". Dont run it yet.
Please copy the following instructions to notepad...we will be going to safe mode and cant see this page.
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml
Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.
Please note any errors and report them back here if any.
Then please run Ewido security suite, and perform a full scan. Remove anything found, and please save the logfile from the scan, because I will ask you to post it here for me later.
Then please run HijackThis, click Scan, and check:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll (file missing)
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} - C:\WINDOWS\frennk.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [fgmffq] c:\windows\system32\meocay.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
Close all open windows except for HijackThis and click Fix Checked.
Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
Thanks.
_________________
Never give up!
Microsoft MVP Windows-Security 2005-2009 
Good/Bad anti spy apps
If we have helped you please consider a donation Thank You |
|
| Back to top |
|
|
pabloatlansingdotcom
Newbie
Joined: 24 Apr 2005
Last Visit: 01 May 2005
Posts: 4
|
| Posted: Tue Apr 26, 2005 7:35 am Post subject: |
|
|
Your suggested process seemed to work.
Here are the two logs you requested
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 10:38:29 AM, 4/26/2005
+ Report-Checksum: C8B3534C
+ Date of database: 4/26/2005
+ Version of scan engine: v3.0
+ Duration: 93 min
+ Scanned Files: 177435
+ Speed: 31.59 Files/Second
+ Infected files: 44
+ Removed files: 44
+ Files put in quarantine: 44
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\Documents and Settings\Paul\Cookies\paul@59297748[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@adknowledge[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@bfast[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@counter2.hitslink[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@server.iad.liveperson[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152288.EXE -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152549.exe -> Trojan.Agent.ay -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152613.TXT -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152614.TXT -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152615.TXT -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152616.TXT -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152617.TXT -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152618.TXT -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152619.TXT -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152620.TXT -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152621.TXT -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152622.TXT -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152623.TXT -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152624.TXT -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152625.TXT -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152626.TXT -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152627.dll -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152628.EXE -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152629.EXE -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152630.EXE -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152631.dll -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152632.exe -> Trojan.Nail -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152633.dll -> Spyware.DlMax.a -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152634.dll -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152635.dll -> Dialer.Generic -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152636.exe -> Trojan.Stervis.b -> Cleaned with backup
C:\RECYCLER\NPROTECT\00152637.dll -> TrojanDownloader.Agent.li -> Cleaned with backup
C:\WINDOWS\bwwlewwjsu.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\xkucznf.exe -> Spyware.BetterInternet -> Cleaned with backup
::Report End
Logfile of HijackThis v1.98.0
Scan saved at 10:49:59 AM, on 4/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\GWHotKey.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://connect2agent.com/
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - (no file)
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - (no file)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwhb.ops.placeware.com/etc/place/HOTEL/SCHpws-b2/5.1.7.413/lib/quicksilver.cab
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://12.20.72.79/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097767678814
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Profile.local
O17 - HKLM\Software\..\Telephony: DomainName = Profile.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CBF2FBF-6B70-4FC8-BBFA-0DFC46C8B804}: NameServer = 66.73.20.40,206.141.193.55
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Profile.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = Profile.local
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
Thanks. |
|
| Back to top |
|
|
blender
Site Admin
Joined: 19 Jan 2004
Last Visit: 16 Jan 2010
Posts: 13104
Location: Ontario
|
| Posted: Tue Apr 26, 2005 9:19 am Post subject: |
|
|
Hi
Looks much better.
couple remanents to fix.
Can you post the hijack log from version 1.99.1 please?
From here:
C:\aaa\hijack\HijackThis.exe
Better delete the hijackthis.exe from desktop to prevent confusion.
thanks!
_________________
Never give up!
Microsoft MVP Windows-Security 2005-2009
Good/Bad anti spy apps
If we have helped you please consider a donation Thank You |
|
| Back to top |
|
|
pabloatlansingdotcom
Newbie
Joined: 24 Apr 2005
Last Visit: 01 May 2005
Posts: 4
|
| Posted: Fri Apr 29, 2005 9:57 am Post subject: |
|
|
> It came back. Below is a new hijackthis.log. Also I note that spoolsv.exe
> in the task manager is hovering from 20 to 7 % of cpu. I'm not printing
> anything.
>
> Thanks for your help. What next?
>
>
>
> Logfile of HijackThis v1.99.1
>
> Scan saved at 12:35:33 PM, on 4/29/2005
>
> Platform: Windows XP SP2 (WinNT 5.01.2600)
>
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
>
>
>
> Running processes:
>
> C:\WINDOWS\System32\smss.exe
>
> C:\WINDOWS\system32\winlogon.exe
>
> C:\WINDOWS\system32\services.exe
>
> C:\WINDOWS\system32\lsass.exe
>
> C:\WINDOWS\system32\svchost.exe
>
> C:\WINDOWS\System32\svchost.exe
>
> C:\WINDOWS\System32\brsvc01a.exe
>
> C:\WINDOWS\system32\spoolsv.exe
>
> C:\WINDOWS\System32\brss01a.exe
>
> C:\WINDOWS\system32\Ati2evxx.exe
>
> C:\Program Files\Interactive Intelligence\I3UpdateSvcU.exe
>
> C:\WINDOWS\system32\inetsrv\inetinfo.exe
>
> C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
>
> C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
>
> C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
>
> C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
>
> C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
>
> C:\WINDOWS\System32\svchost.exe
>
> C:\WINDOWS\Explorer.EXE
>
> C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
>
> C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
>
> C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
>
> C:\WINDOWS\GWHotKey.exe
>
> C:\WINDOWS\GWMDMMSG.exe
>
> C:\WINDOWS\System32\svchost.exe
>
> C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
>
> C:\Program Files\QuickTime\qttask.exe
>
> C:\Program Files\iTunes\iTunesHelper.exe
>
> C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
>
> C:\Program Files\Messenger\msmsgs.exe
>
> C:\Program Files\iPod\bin\iPodService.exe
>
> C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
>
> C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
>
> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
>
> C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
>
> C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
>
> C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
>
> C:\WINDOWS\System32\dllhost.exe
>
> C:\WINDOWS\system32\inetsrv\DavCData.exe
>
> C:\Program Files\Internet Explorer\iexplore.exe
>
> C:\WINDOWS\explorer.exe
>
> c:\windows\system32\pahhron.exe
>
> c:\windows\system32\packager.exe
>
> C:\Program Files\JGsoft\EditPadPro\EditPadPro.exe
>
> C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe
>
> C:\Program Files\Common Files\Adobe\Web\AOM.exe
>
> C:\PROGRA~1\INTERA~1\I3ACA.exe
>
> \?\C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
>
> C:\Program Files\Internet Explorer\iexplore.exe
>
> C:\zip_install\HijackThis.exe
>
>
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
> http://websearch.drsnsrch.com/sidesearch.cgi?id=
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
> http://websearch.drsnsrch.com/sidesearch.cgi?id=
>
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://connect2agent.com/
>
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
> http://websearch.drsnsrch.com/sidesearch.cgi?id=
>
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
> http://websearch.drsnsrch.com/sidesearch.cgi?id=
>
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
> http://websearch.drsnsrch.com/sidesearch.cgi?id=
>
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
> http://websearch.drsnsrch.com/sidesearch.cgi?id=
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
> websearch.drsnsrch.com/q.cgi?q=
>
> O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} -
> C:\WINDOWS\Pynix.dll
>
> O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} -
> C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
>
> O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -
> C:\WINDOWS\systb.dll
>
> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
> C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
>
> O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} -
> C:\WINDOWS\Bolger.dll (file missing)
>
> O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
> c:\program files\google\googletoolbar2.dll
>
> O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
> Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
>
> O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program
> Files\Microsoft Money\System\mnyviewer.dll
>
> O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
> C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
>
> O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program
> Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
>
> O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
> files\google\googletoolbar2.dll
>
> O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
>
> O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
>
> O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft
> Money\System\Activation.exe"
>
> O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
>
> O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
>
> O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
>
> O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
>
> O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
>
> O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch
> Jukebox\mm_tray.exe
>
> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
> -atboottime
>
> O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
>
> O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
>
> O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
> Files\Java\jre1.5.0_02\bin\jusched.exe
>
> O4 - HKLM\..\Run: [pahhron] c:\windows\system32\pahhron.exe
>
> O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
>
> O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
>
> O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
> /background
>
> O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft
> ActiveSync\WCESCOMM.EXE"
>
> O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat
> 5.0\Distillr\AcroTray.exe
>
> O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common
> Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
>
> O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL
> Server\80\Tools\Binn\sqlmangr.exe
>
> O8 - Extra context menu item: &Google Search - res://c:\program
> files\google\GoogleToolbar2.dll/cmsearch.html
>
> O8 - Extra context menu item: Backward Links - res://c:\program
> files\google\GoogleToolbar2.dll/cmbacklinks.html
>
> O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
> files\google\GoogleToolbar2.dll/cmcache.html
>
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
>
> O8 - Extra context menu item: Similar Pages - res://c:\program
> files\google\GoogleToolbar2.dll/cmsimilar.html
>
> O8 - Extra context menu item: Translate into English - res://c:\program
> files\google\GoogleToolbar2.dll/cmtrans.html
>
> O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
> C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
>
> O9 - Extra 'Tools' menuitem: Sun Java Console -
> {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
> Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
>
> O9 - Extra button: Create Mobile Favorite -
> {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft
> ActiveSync\inetrepl.dll
>
> O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -
> C:\Program Files\Microsoft ActiveSync\inetrepl.dll
>
> O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -
> {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft
> ActiveSync\inetrepl.dll
>
> O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
> C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
>
> O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -
> C:\Program Files\Microsoft Money\System\mnyviewer.dll
>
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
> C:\Program Files\Messenger\msmsgs.exe
>
> O9 - Extra 'Tools' menuitem: Windows Messenger -
> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
> Files\Messenger\msmsgs.exe
>
> O9 - Extra button: Flash Decompiler SWF Capture tool -
> {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\AFLASH~1\FLASHD~1\iebt.dll
> (HKCU)
>
> O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu -
> {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\AFLASH~1\FLASHD~1\iebt.dll
> (HKCU)
>
> O12 - Plugin for .spop: C:\Program Files\Internet
> Explorer\Plugins\NPDocBox.dll
>
> O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
> scanner) -
> http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
>
> O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) -
> http://scpwhb.ops.placeware.com/etc/place/HOTEL/SCHpws-b2/5.1.7.413/lib/quic
> ksilver.cab
>
> O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager)
> - http://12.20.72.79/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
>
> O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
> http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wu
> web_site.cab?1097767678814
>
> O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
> Class) -
> http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
>
> O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) -
> http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
>
> O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Profile.local
>
> O17 - HKLM\Software\..\Telephony: DomainName = Profile.local
>
> O17 -
> HKLM\System\CCS\Services\Tcpip\..\{8CBF2FBF-6B70-4FC8-BBFA-0DFC46C8B804}:
> NameServer = 66.73.20.40,206.141.193.55
>
> O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Profile.local
>
> O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = Profile.local
>
> O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} -
> C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
>
> O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
>
> O23 - Service: Ati HotKey Poller - Unknown owner -
> C:\WINDOWS\system32\Ati2evxx.exe
>
> O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation -
> C:\Program Files\Symantec\pcAnywhere\awhost32.exe
>
> O23 - Service: BrSplService (Brother XP spl Service) - brother Industries
> Ltd - C:\WINDOWS\System32\brsvc01a.exe
>
> O23 - Service: I3 Update Service (I3UpdateSvc) - Interactive Intelligence,
> Inc. - C:\Program Files\Interactive Intelligence\I3UpdateSvcU.exe
>
> O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
> C:\Program Files\iPod\bin\iPodService.exe
>
> O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program
> Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
>
> O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec
> Corporation - C:\Program Files\Norton SystemWorks\Norton
> AntiVirus\navapsvc.exe
>
> O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
> Corporation - C:\Program Files\Norton SystemWorks\Norton
> Utilities\NPROTECT.EXE
>
> O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
> C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
>
> O23 - Service: Speed Disk service - Symantec Corporation -
> C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
> |
|
| Back to top |
|
|
blender
Site Admin
Joined: 19 Jan 2004
Last Visit: 16 Jan 2010
Posts: 13104
Location: Ontario
|
| Posted: Sat Apr 30, 2005 8:49 am Post subject: |
|
|
Hi
Sorry for delay...got called out to work.
Ensure your ad-aware is up to date.
If you still have Ewido; ensure it is up to date as well.
You should still have some time left on the 30 day trial.
download CWShredder from here:
http://cwshredder.net/bin/CWShredder.exe
Save download but don't run it yet.
Make sure you can see hidden files:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339?Open&src=&docid=2002103012571948&nsf=ent-security.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=
Boot up to safe mode
Start hijackthis, run system scan only, check/fix the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://connect2agent.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [pahhron] c:\windows\system32\pahhron.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
Exit hijack when done.
find and delete the following if found:
C:\WINDOWS\wupdt.exe <--file
C:\WINDOWS\farmmext.exe <--file
C:\WINDOWS\Pynix.dll <--file
C:\WINDOWS\systb.dll <--file
c:\windows\system32\pahhron.exe <--file
click start> run> type %temp% and hit enter.
Select all in folder> delete all.
Empty contents of C:\Windows\temp
Empty recycle bin.
Open internet options in control panel
Click "delete files", check to "delete offline content", then OK.
Run full system scan with ewido, allow it to remove all it finds, save its log to post here later.
Restart computer back to safe mode.
Run full scan with ad-aware
Let it remove all "critical objects"
run CWShredder.exe
Click the "Fix" button (not just scan)
Let it fix what it wants.
Open Internet options in control panel
Click "programs" tab.
Click "reset web settings" and ok to reset home page.
Restart to normal windows.
Post both the new hijack log and scan log with Ewido.
Let me know how things are running.
thanks!
spoolsv.exe still spiking?
_________________
Never give up!
Microsoft MVP Windows-Security 2005-2009
Good/Bad anti spy apps
If we have helped you please consider a donation Thank You |
|
| Back to top |
|
|
pabloatlansingdotcom
Newbie
Joined: 24 Apr 2005
Last Visit: 01 May 2005
Posts: 4
|
| Posted: Sun May 01, 2005 6:48 am Post subject: |
|
|
Spoolsv.exe doesn't seem to be spiking. The adpopups are not happening at least so far. I did not get a copy of the 'pre-cleaning' hijack log  The ewido log is as follows. Thanks Again.
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 9:24:10 AM, 5/1/2005
+ Report-Checksum: 7E940DAA
+ Date of database: 5/1/2005
+ Version of scan engine: v3.0
+ Duration: 105 min
+ Scanned Files: 172760
+ Speed: 27.27 Files/Second
+ Infected files: 24
+ Removed files: 24
+ Files put in quarantine: 24
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\Documents and Settings\Paul\Cookies\paul@59297748[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@adknowledge[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@counter2.hitslink[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@ehg-dig.hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@S126079[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@servedby.advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@server.iad.liveperson[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@statse.webtrendslive[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00155133.EXE -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLER\NPROTECT\00157095.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\WINDOWS\wupdsnff.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\zip_install\backups\backup-20050430-224457-409.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\zip_install\backups\backup-20050430-224457-665.dll -> Spyware.DlMax.a -> Cleaned with backup
::Report End |
|
| Back to top |
|
|
blender
Site Admin
Joined: 19 Jan 2004
Last Visit: 16 Jan 2010
Posts: 13104
Location: Ontario
|
| Posted: Sun May 01, 2005 8:42 am Post subject: |
|
|
Hi
Ok...lets see a new hijack log to see what you look like now.
Thanks!
_________________
Never give up!
Microsoft MVP Windows-Security 2005-2009
Good/Bad anti spy apps
If we have helped you please consider a donation Thank You |
|
| Back to top |
|
|
spiderman2007
Newbie
Joined: 04 May 2005
Last Visit: 04 May 2005
Posts: 1
|
| Posted: Wed May 04, 2005 6:56 am Post subject: this helped me also |
|
|
| blender wrote: |
Hi and welcome
You have most of the right tools to kill this nasty off but just a little tweaking how it is done.
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Please do NOT run a scan yet.
^^You have already downloaded/installed it, just check for updates.
Please run Notepad and copy the following text into a new file:
| Code: |
@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit |
Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files". Dont run it yet.
Please copy the following instructions to notepad...we will be going to safe mode and cant see this page.
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml
Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.
Please note any errors and report them back here if any.
Then please run Ewido security suite, and perform a full scan. Remove anything found, and please save the logfile from the scan, because I will ask you to post it here for me later.
Then please run HijackThis, click Scan, and check:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll (file missing)
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: (no name) - {38D4D5D0-423E-4220-B6F9-30918C2AE4A4} - C:\WINDOWS\frennk.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [fgmffq] c:\windows\system32\meocay.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
Close all open windows except for HijackThis and click Fix Checked.
Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
Thanks. |
Hi Admin, u helped me a lot. Thanks!! |
|
| Back to top |
|
|
argChemE
Newbie
Joined: 23 May 2005
Last Visit: 23 May 2005
Posts: 1
|
| Posted: Mon May 23, 2005 5:55 pm Post subject: |
|
|
| I had this damn thing forever and could not get rid of it until oneday I tried to click the close box and I clicked the question mark next to it. It gives you a link to follow that is a download program that removes the software. Good luck |
|
| Back to top |
|
|
Old Bones
Newbie
Joined: 13 May 2005
Last Visit: 03 Jun 2005
Posts: 1
Location: Pennsylvania, USA
|
| Posted: Thu Jun 02, 2005 1:56 pm Post subject: |
|
|
AHHH FORGET IT!!
Last edited by Old Bones on Fri Jun 03, 2005 9:10 am; edited 1 time in total |
|
| Back to top |
|
|
blender
Site Admin
Joined: 19 Jan 2004
Last Visit: 16 Jan 2010
Posts: 13104
Location: Ontario
|
| Posted: Fri Jun 03, 2005 2:37 am Post subject: |
|
|
Due to prolonged inactivity from origional poster. Topic is now locked!
pabloatlansingdotcom
If you need topic re-opened please PM me.
New issues please launch a new thread.
Thank you.
_________________
Never give up!
Microsoft MVP Windows-Security 2005-2009
Good/Bad anti spy apps
If we have helped you please consider a donation Thank You |
|
| Back to top |
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group
|
