Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Aurora and associated cr*p.. [well not anymore]

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics
View previous topic :: View next topic  
Author Message
camel
Junior Member


Joined: 27 Jun 2004
Last Visit: 10 Sep 2005
Posts: 13
Location: Australia

PostPosted: Tue Jun 21, 2005 10:21 pm    Post subject: Aurora and associated cr*p.. [well not anymore] Reply with quote

I've been infected with Aurora, ABI, DrPmon, Nail.exe, etc...

I've read through the other topics on this particular spyware and thought about fixing it myself... but i dont want to risk doing something i dont know much about.. I know this is probably nothing new to you hijack analysts, and probably a really annoying thing as so many people have this... but If you have time to view my hijack, it will be much appreciated..

Atm.. It doesnt seem that anything is happening to my comp other than the occasional popup from aurora, and that nail.exe could not be executed/found... anyway.. heres my log:

Logfile of HijackThis v1.99.1
Scan saved at 4:14:30 PM, on 22/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\windows\system32\hilfwf.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.db-au.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.db-au.net
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\eDonkey2000.exe" -t
O4 - HKLM\..\Run: [ycrbxf] c:\windows\system32\hilfwf.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Thanks


Last edited by camel on Fri Jul 22, 2005 9:50 am; edited 1 time in total
Back to top
View user's profile Send private message
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 09 Apr 2014
Posts: 10886
Location: Ontario

PostPosted: Thu Jun 23, 2005 10:10 pm    Post subject: Reply with quote

Hi

sorry for delay...

Looks like most of the problem is not there...

Lets do this:

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

You may need to manually update the definitions which you can get here:

http://www.ewido.net/en/download/updates/


Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml


Then please run Ewido, and run a full scan. Save the logfile from the scan. Please allow it to fix what it finds.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [ycrbxf] c:\windows\system32\hilfwf.exe r



Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

thanks! Smile
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
camel
Junior Member


Joined: 27 Jun 2004
Last Visit: 10 Sep 2005
Posts: 13
Location: Australia

PostPosted: Wed Jun 29, 2005 9:19 am    Post subject: Reply with quote

Sorry for the late reply.. couldn't find my post Sad
Anyway.. here are the logs:

Soz for the late reply... couldnt find my post ><

Logfile of HijackThis v1.99.1
Scan saved at 3:13:40 AM, on 30/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\windows\system32\hunxqn.exe
c:\windows\system32\mmjhpr.exe
c:\windows\system32\qgolwr.exe
c:\windows\system32\ywhxhhu.exe
c:\windows\system32\bqzejj.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.db-au.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.db-au.net
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\eDonkey2000.exe" -t
O4 - HKLM\..\Run: [lwzelz] c:\windows\system32\bqzejj.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120008220093
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:01:01 AM, 30/06/2005
+ Report-Checksum: 5D3582EF

+ Date of database: 29/06/2005
+ Version of scan engine: v3.0

+ Duration: 24 min
+ Scanned Files: 70199
+ Speed: 47.10 Files/Second
+ Infected files: 25
+ Removed files: 25
+ Files put in quarantine: 25
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:

Settings\Temp\XMI\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\jdybqlaizmu.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\system32\DrPMon.dll -> Trojan.Agent.db -> Cleaned with backup
C:\WINDOWS\system32\ntfsnlpa.exe -> Spyware.Msnagent -> Cleaned with backup
C:\WINDOWS\system32\opjtbyf.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\rdsndin.exe -> Spyware.FindSpy -> Cleaned with backup
D:\WINNT\system32\sahagent1015.exe -> Spyware.Sahat.a -> Cleaned with backup
D:\WINNT\Downloaded Program Files\popcaploader.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
D:\WINNT\NDNuninstall6_10.exe -> Spyware.NewDotNet -> Cleaned with backup
D:\Program Files\filesubmit\linkin_park_theme.exe\nnez_388.exe -> Spyware.NewDotNet -> Cleaned with backup


::Report End


Still infected.. no luck Sad
Each startup i get a msg saying Nail.exe couldnt be accessed, and random letters that spysweeper detects located in the system32 folder..

e.g. c:\windows\system32\hunxqn.exe
c:\windows\system32\mmjhpr.exe
c:\windows\system32\qgolwr.exe
c:\windows\system32\ywhxhhu.exe
c:\windows\system32\bqzejj.exe

Each startup the random letters change...
Back to top
View user's profile Send private message
camel
Junior Member


Joined: 27 Jun 2004
Last Visit: 10 Sep 2005
Posts: 13
Location: Australia

PostPosted: Wed Jun 29, 2005 9:32 am    Post subject: Reply with quote

Maybe I should start again and follow the sticky at the top of the forums? and post a new log?

Because i've read other forums and they said to

"When installing eidos, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". "

i didnt uncheck it ><
Back to top
View user's profile Send private message
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 09 Apr 2014
Posts: 10886
Location: Ontario

PostPosted: Thu Jun 30, 2005 5:17 am    Post subject: Reply with quote

Hi

Yes...go ahead and do as per the sticky.


You can open Ewido and tell it to 'uninstall guard' by clicking "uninstall guard"

When you post your next set of logs...at the bottom click on " Watch this topic for replies"
You will get notified by email when I reply back.

I'll need both a new Hijackthis log and the log from Ewido.

thanks! Smile
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
camel
Junior Member


Joined: 27 Jun 2004
Last Visit: 10 Sep 2005
Posts: 13
Location: Australia

PostPosted: Fri Jul 22, 2005 9:46 am    Post subject: Reply with quote

I decided to Reformat my comp instead of trying to remove the spyware.. too much work, and i rather a clean start. Anyway, i reformatted and started searching through to find various protection against spyware, i came across an unwanted site and now i have spyware all over again. Sorry for the late post, i was on holidays overseas.. anyway

my desktop wallpaper changed, and i now have spysheriff and other nasty's



Here is my hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 3:43:47 AM, on 23/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\init32m.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\WINDOWS\System32\symcsvc.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpySheriff\SpySheriff.exe
C:\WINDOWS\sys3659.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZToolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\System32\ztoolb005.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O21 - SSODL: System - {A63DF077-2B10-4308-BA47-6DB52DF30CD9} - vr_sys.dll (file missing)
O21 - SSODL: Spybot - Search & Destroy_is1 - {7630064E-1F63-5FEB-2611-C8ED82FB410E} - c:\program files\spybot - search & destroy\wingead4.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe
Back to top
View user's profile Send private message
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 09 Apr 2014
Posts: 10886
Location: Ontario

PostPosted: Fri Jul 22, 2005 11:43 am    Post subject: Reply with quote

Hi

Picked up a nasty one... Shocked

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*Download Killbox by Option^Explicit from here:

http://www.bleepingcomputer.com/files/killbox.php

*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.

*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\WINDOWS\sites.ini
C:\WINDOWS\popuper.exe
C:\Windows\desktop.html
C:\Windows\screen.html
C:\Windows\zloader3.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\hhk.dll
C:\WINDOWS\System32\helper.exe
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\System32\msmsgs.exe
C:\WINDOWS\System32\ole32vbs.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\System32\msmsgs.exe
C:\Windows\System32\hp188f.tmp
C:\WINDOWS\System32\LogFiles\A5281300.so
C:\WINDOWS\system32\hookdump.exe
C:\Windows\System32\winook.exe
C:\windows\system32\wp.bmp
C:\Windows\system32\oleadm32.dll
C:\windows\system32\oleadm.dll



*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Restart computer manually

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

*IMPORTANT* Be sure you know how to VIEW HIDDEN FILES. How to here:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339?Open&src=&docid=2002103012571948&nsf=ent-security.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard
C:\Program Files\SpySheriff

FILES to delete (in bold) if found:

C:\WINDOWS\System32\symcsvc.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\winstall.exe

Start Hijackthis, run system scan only and check:

F2 - REG:system.ini: Shell=Explorer.exe init32m.exe

O3 - Toolbar: ZToolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\System32\ztoolb005.dll

O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe

O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

O21 - SSODL: System - {A63DF077-2B10-4308-BA47-6DB52DF30CD9} - vr_sys.dll (file missing)





Close all open windows except hijack and click "fix checked"

Reboot into normal mode.

A registry file to undo most of the changes is available here:

http://metallica.geekstogo.com/smitfraud.reg

Doubleclick that file and confirm you want to merge it with the registry.

1.) Download the Hoster from here:

http://www.funkytoad.com/download/hoster.zip

Unzip it, double click hoster.exe

Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Download: http://www.mvps.org/winhelp2002/DelDomains.inf

To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!:

http://www.spywareaid.com/index.php?file=showsoftware&action=dl&softid=1&softtype=exe

Try this link if above one does not work:

http://home.comcast.net/~sgould4567/software/cleanup/download.html

Learn how to use Cleanup:

http://home.comcast.net/~sgould4567/software/cleanup/running.html

4.) Run a virus scan. If you do not have an AV installed, use ActiveScan - Save the results from the scan!

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

5.) Reboot and post a new hijackthis log, let me know how machine is running.
Please also post log from Panda scan (activescan.txt)

thanks! Wink
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
camel
Junior Member


Joined: 27 Jun 2004
Last Visit: 10 Sep 2005
Posts: 13
Location: Australia

PostPosted: Sat Jul 23, 2005 12:00 am    Post subject: Reply with quote

Here is my new hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 5:54:47 PM, on 23/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [Panda_cleaner_188655] C:\WINDOWS\System32\ActiveScan\pavdr.exe 188655
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O21 - SSODL: Spybot - Search & Destroy_is1 - {7630064E-1F63-5FEB-2611-C8ED82FB410E} - c:\program files\spybot - search & destroy\wingead4.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe

And active scan:


Incident Status Location

Virus:Trj/Downloader.DLH Disinfected Operating system
Adware:adware/adsmart No disinfected C:\WINDOWS\SYSTEM32\init32m.exe
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\SYSTEM32\symcsvc.exe
Adware:adware/spysheriff No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SPYSHERIFF
Adware:adware/spywareno No disinfected HKEY_CURRENT_USER\SOFTWARE\SNO
Adware:adware/azesearch No disinfected HKEY_CLASSES_ROOT\ZTOOLBAR.ACTIVATOR
Adware:adware/mediatickets No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING\TRUST DATABASE\0\PPCIMDNNNJBEAHEPFABJIPFGINLOEDKG EGCKAK
Virus:Trj/Downloader.DLH Disinfected C:\Documents and Settings\Bullseye21\Local Settings\Temp\EF.tmp
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\0937CEFE-A0F1-454A-B188-3B8B7D.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\142C586C-4C16-407A-B4B6-BA17E1.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\16532535-A4B4-4AD9-AE12-B0B755.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\19B55DB5-60AB-4C89-96D8-FEC474.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\1AFDE8F4-B607-4FA6-9868-EA61C9.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\317A4943-78B3-4D90-98F9-F53376.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\388C23CC-E084-40A6-88F0-6591D6.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\49085E65-74D2-43FA-949F-82B88F.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\4ABC330D-19EB-4DFE-96D1-2D0875.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\56FA1D22-CE70-45C5-9C7C-AE51EE.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\64397E1B-2940-455C-96F9-2428E5.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\669FF244-E12C-4152-8946-64C7B5.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\6D8179E7-F129-4075-BC50-084AC9.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\71AB447D-8CE3-478B-90B8-32341D.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\77CE0A36-AE0D-4484-8336-9A5488.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\823E25A7-69D1-4AFD-8D75-D6E557.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\85C8225F-28B7-4906-86FB-B6CACD.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\8B1D1B55-CDA5-4C9C-9653-6D06CE.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\8D114A7F-27D3-4845-99F3-FD45D8.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\91CD26BF-2ADE-49DF-B824-4A2B2D.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\978815F7-FF93-44F9-9BD7-F3637A.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\CB62B9B0-3BA8-4DF0-9C57-C73CB5.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\CE5094EC-0523-4F48-AE69-AAE90E.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\D1DF8CFB-43DD-4E4C-96C3-E45A15.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\D324AE3D-DEE6-48FD-8EF1-9930C1.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\D677872F-1038-4FCB-A269-52E509.asq
Virus:Trj/Downloader.DJV Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\F14F5096-1F9D-42A5-BCCC-C95C41.asq
Adware:Adware/SpywareNo No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\2E5D7C6A-52EC-4246-B7B8-4F23BD\37FB35DE-27DD-476B-9AAD-8CDABB
Adware:Adware/SpywareNo No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\2E5D7C6A-52EC-4246-B7B8-4F23BD\9991EA49-2AD6-4868-AE32-13937A
Adware:Adware/AzeSearch No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C480501D-6C69-4389-BAAE-CFDAA7\539DEDED-77A1-4A31-A6A4-E25F3C
Virus:Trj/Downloader.DJV Disinfected C:\WINDOWS\svchost.exe
Virus:Trj/Sachek.A Disinfected C:\WINDOWS\system32\6868359.exe
Virus:Trj/Pdpinch.Q Disinfected C:\WINDOWS\system32\abc.exe
Virus:Trj/Agent.EY Disinfected C:\WINDOWS\system32\init32m.exe
Virus:Trj/Downloader.DEW Disinfected C:\WINDOWS\system32\kernels32.exe
Virus:Trj/Downloader.DLH Disinfected C:\WINDOWS\system32\vxgame1.exe
Virus:Trj/Agent.EY Disinfected C:\WINDOWS\system32\vxgame3.exe
Virus:Trj/Clicker.HA Disinfected C:\WINDOWS\system32\vxgame4.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\vxgame6.exe
Virus:Trj/Sachek.A Disinfected C:\WINDOWS\system32\vxgamet1.exe
Virus:Trj/Lowzones.FO Disinfected C:\WINDOWS\system32\vxgamet2.exe
Virus:Trj/Downloader.DOC Disinfected C:\WINDOWS\system32\vxh8jkdq1.exe
Virus:Trj/Downloader.DHI Disinfected C:\WINDOWS\system32\vxh8jkdq5.exe
Virus:Trj/Downloader.CRY Disinfected C:\WINDOWS\system32\vxh8jkdq6.exe
Virus:Trj/Downloader.DOC Disinfected C:\WINDOWS\system32\vxh8jkdq8.exe
Virus:Trj/Downloader.DEW Disinfected C:\WINDOWS\system32\web.exe
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\ztoolb005.dll
Virus:Trj/Multidropper.AEW Disinfected D:\WINNT\system32\in10b6.dll
Spyware:Spyware/BetterInet No disinfected D:\WINNT\inf\biini.inf
Spyware:Spyware/BetterInet No disinfected D:\WINNT\inf\biO.inf
Adware:Adware/SAHAgent No disinfected D:\WINNT\inf\bi6.inf
Adware:Adware/PopCapLoader No disinfected D:\WINNT\Downloaded Program Files\popcaploader.inf
Spyware:Spyware/BetterInet No disinfected D:\Program Files\Common Files\updmgr\data1.dat
Spyware:Spyware/BetterInet No disinfected D:\Program Files\Common Files\updmgr\data2.dat
Spyware:Spyware/BetterInet No disinfected D:\Program Files\Common Files\updater\data1.dat
Spyware:Spyware/BetterInet No disinfected D:\Program Files\Common Files\updater\data2.dat
Adware:Adware/SAHAgent No disinfected D:\System Volume Information\_restore{0A47DB06-9417-4A80-A57D-304915AEF4A6}\RP35\A0016944.exe
Adware:Adware/PopCapLoader No disinfected D:\System Volume Information\_restore{0A47DB06-9417-4A80-A57D-304915AEF4A6}\RP35\A0016945.dll
Spyware:Spyware/New.net No disinfected D:\System Volume Information\_restore{0A47DB06-9417-4A80-A57D-304915AEF4A6}\RP35\A0016946.exe
Spyware:Spyware/New.net No disinfected D:\System Volume Information\_restore{0A47DB06-9417-4A80-A57D-304915AEF4A6}\RP35\A0016947.exe
Virus:Trj/Multidropper.AEW Disinfected D:\System Volume Information\_restore{C7E62EB6-96E3-4267-BAE8-764A0837D939}\RP14\A0004825.dll
Back to top
View user's profile Send private message
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 09 Apr 2014
Posts: 10886
Location: Ontario

PostPosted: Thu Jul 28, 2005 5:05 am    Post subject: Reply with quote

Hi

Sorry for delay...I lost your reply notification... Embarassed

Hijack log Looking much better. Smile

Still some files and registry items to remove and likely still a few files kicking around.

We have a newer tool available to help remove the rest of this.

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3. Instead of Windows loading as normal, a menu should appear
  4. Select the first option, to run Windows in Safe Mode.


Click start> run> type cmd and hit enter.
Type sc stop moto and hit enter. If error...continue anyway.
type sc delete moto and hit enter.
Should get success messege.

Exit the cmd prompt.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:

  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the c:\smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

thanks Smile
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
camel
Junior Member


Joined: 27 Jun 2004
Last Visit: 10 Sep 2005
Posts: 13
Location: Australia

PostPosted: Sat Jul 30, 2005 6:08 am    Post subject: Reply with quote

I've just been infected with aurora again.. plus the things i had previously..

Im really getting frustrated over all these nasty's i have on my comp so im going to reformat another time... I think it will be quicker that way, then to wait for the replies, and plus it is guaranteed i will get rid of all the unwanted things i had previously.

The thing is, no matter where i go i always seem to bump into spyware! I can't avoid it! Im so careful where i click, yet it always gets me in the end.. I use spybot, adaware, microsoft antispyware, spyblaster, spyguard, but they dont seem to prevent them directly.

I think i need some tips, what kind of programs should i install for protection against spyware? Sorry for the trouble of taking the time to write out the previous posts..

Thanks for your help anyway, much appreciated.
Back to top
View user's profile Send private message
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 09 Apr 2014
Posts: 10886
Location: Ontario

PostPosted: Sun Jul 31, 2005 11:19 am    Post subject: Reply with quote

Hi

Once you get OS re-installed...Before going online...Turn on XP firewall so internet worms dont get you just for being online. 10 minuites unprotected will get you infected without even opening IE.

How to turn it on:

http://www.microsoft.com/athome/security/protect/windowsxp/firewall.mspx

Before surfing anywhere....

First place to hit is windows update. Get all your updates. It will take several visits/reboots to get em all.

Install an antivirus.
Here is a good free one:

http://free.grisoft.com/freeweb.php/doc/2/

Ensure it's up to date after initial install.

Install your antispyware apps you have installed now.

Additional apps:

arrow: IE-Spyad <--this puts several thousand sites in restricted zone for IE. If you happen on a site within its list they can't hijack you or install anything.
Program is free and updated about once a month.

Please follow readme instructions for install...it is a little different.

Arrow Using a hosts file will greatly increase security. Many of those flashy annoying ads on websites will not display and it blocks access to thousands of sites entirely.

Info and how to install:

http://www.mvps.org/winhelp2002/hosts.htm

I would also install a 3rd party firewall. XP one is ok for blocking unwanted incomming traffic but not that good for outgoing traffic control.

Firewall info:

http://www.spywarewarrior.com/viewtopic.php?t=14155

I would also consider using a different browser for day to day use.
I like Firefox and Opera.
Both are free:

http://www.mozilla.org/products/firefox/

http://www.opera.com/

Because some web pages & downloads will only work in IE such as windows update, most online scanners; you will still need IE.

Check IE security settings:


  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.

    1. Change the Download signed ActiveX controls to Prompt
    2. Change the Download unsigned ActiveX controls to Disable
    3. Change the Initialise and script ActiveX controls not marked as safe to Disable
    4. Change the Installation of desktop items to Prompt
    5. Change the Launching programs and files in an IFRAME to Prompt
    6. Change the Navigate sub-frames across different domains to Prompt
    7. When all these settings have been made, click on the OK button.
    8. If it prompts you as to whether or not you want to save the settings, press the Yes button.

  5. Next press the Apply button and then the OK to exit the Internet Properties page.



Then install your favorite apps and update them as appropiate.

A note on other apps. Any new software you download...be sure to read the End User Licence Agreement. Yes it is somewhat of a PITA but...
Most will tell you in the agreement if it contains 3rd party software to display ads....or worse.

Additional info on spyware & trojans.

Prevent spyware install:

http://boards.cexx.org/viewtopic.php?t=957


http://www.spywarewarrior.com/viewtopic.php?t=10027

Good luck with new install. Smile
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
camel
Junior Member


Joined: 27 Jun 2004
Last Visit: 10 Sep 2005
Posts: 13
Location: Australia

PostPosted: Sat Sep 10, 2005 4:04 am    Post subject: Reply with quote

Thanks mate :]
so far ive had no threats ever since ive started using firefox mozilla..
<3
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group