Hi, Rovert122. You have different types of infections, so let’s tackle the Nail (Aurora) infection first. I will have you restart your computer in Safe Mode a little later in the fix, which will prevent you from having access to the Internet, so I recommend you either print these instructions or save them to a file for reference.
Please download the trial version of Ewido Security Suite here:
Unzip it to the desktop but please do NOT run it yet.
Now, restart your computer into Safe Mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml.
Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
Then please run Ewido, and run a full scan. Save the logfile from the scan.
Next please run HijackThis, click Scan, and check:
I then ran the HijackThis scan and here are those results:
Logfile of HijackThis v1.99.1
Scan saved at 4:20:55 PM, on 6/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
I followed the directions, as much as possible. I ran the ewido scan and here are the results:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 4:18:56 PM, 6/25/2005
+ Report-Checksum: 2F5930BA
+ Date of database: 6/25/2005
+ Version of scan engine: v3.0
+ Duration: 48 min
+ Scanned Files: 79043
+ Speed: 26.93 Files/Second
+ Infected files: 54
+ Removed files: 54
+ Files put in quarantine: 54
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\Documents and Settings\Trevor\Cookies\trevor@overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\BRXF7HKG\My404[1].exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099573.exe -> TrojanDownloader.Apropo.g -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099574.exe -> TrojanDownloader.Agent.qg -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099575.exe -> Spyware.Gator -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099576.exe -> Spyware.Gator -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099577.dll -> Spyware.WinAD.ag -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099578.exe -> Spyware.WinAD.am -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099579.exe -> Spyware.WinAD -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099580.DLL -> Spyware.MyWay.j -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099581.EXE -> Spyware.MyWay.j -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099582.dll -> Spyware.SmartPops -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099583.exe -> Spyware.SmartPops -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099584.exe -> Spyware.WeirWeb -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099585.exe -> TrojanDownloader.Small.akz -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099586.dll -> Spyware.BookedSpace.e -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099587.dll -> Spyware.EliteBar.af -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099588.exe -> Spyware.BookedSpace.e -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099589.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099590.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099591.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099592.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099593.exe -> TrojanDownloader.Small.ayh -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099594.exe -> Spyware.Apropos -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099595.exe -> TrojanDownloader.Agent.qg -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099596.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099597.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099598.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099599.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099600.exe -> TrojanDownloader.Small.abd -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099601.vxd -> Spyware.MediaPass -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099602.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099603.dll -> Spyware.HotSearchBar -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099604.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099605.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099606.cpl -> TrojanDownloader.Qoologic.p -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099607.dll -> TrojanDownloader.Qoologic.p -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099608.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099609.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099618.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\My404.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM\QB.exe -> TrojanDownloader.Small.aly -> Cleaned with backup
C:\WINDOWS\SYSTEM32\uci.exe -> TrojanDropper.Agent.hl -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vtdqgf.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\SYSTEM32\wei0_qcx.exe -> TrojanDownloader.Agent.ed -> Cleaned with backup
C:\WINDOWS\SYSTEM32\wintask.exe -> TrojanDownloader.Small.abd -> Cleaned with backup
C:\WINDOWS\SYSTEM32\wldpserv.exe -> TrojanDownloader.Apropo.ac -> Cleaned with backup
C:\WINDOWS\SYSTEM32\wrapperouter.exe -> TrojanDropper.Agent.hl -> Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\vybzmwguwfq.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
Hi, Rovert122. It looks like the nail infection is gone, so let’s get started on the rest. You will be starting your computer in Safe Mode later in the fix, which will prevent you from accessing the Internet, so I recommend you either print these instructions or save them to a file for reference.
Download CWShredder. Save it to your desktop, run it, and then click Check For Update. After obtaining any updates, close CWShredder. We will run a scan with it later in Safe Mode.
Download miekiemoes' LQfix batch. Unzip it to your desktop but do NOT run it yet. We will use it later in Safe Mode.
Please download the Ie.Plugin from Symantec and save it to your desktop. Now, please double-click the removal tool to remove the IE.Plugin from your system.
You need to remove the following programs (if present) from Add/Remove Programs in the Windows Control Panel:
Weatherbug Windows AFA Internet Enhancement
The older versions of Weatherbug came bundled with spyware. If this is something you use, you may download the newest version, which is reportedly free of spyware, after your system is clean.
I would advise you to also remove Viewpoint Manager through Add/Remove Programs. Many experts feel this program is borderline spyware and should be removed, but the debate is ongoing. I will leave the decision up to you.
Restart your computer.
Run HijackThis and click Do a system scan only and check the box next to each of these items. Running the Symantec Removal Tool and removing some programs may have taken care of some of these items, so don’t worry if something isn’t there.
Close all open windows, including this one, and click Fix Checked.
We need to make sure you can see all files, including hidden and system files. Please click Start => My Computer. On the menu bar select Tools => Folder Options, and then select the View tab. Under the Hidden files and folders heading, please make sure Show hidden files and folders is checked and Hide protected operating system files (recommended) is unchecked. Click Yes to confirm, and then click OK.
Now, restart your computer into Safe Mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml
Using Windows Explorer, please delete the following files (shown below in red) if still present:
If you chose to remove Viewpoint Manager, please delete this folder also if still present:
C:\Program Files\Viewpoint\
You will need to search for the last file that needs to be deleted. Please click Start => Search => All files and folders. In the All or part of the file name: box, type taru.exe. Make sure the Look in: box is set to search your C: drive, and then click Search. When the search has been completed, please delete every instance of the taru.exe file found.
Please run CWShredder and click Fix to remove the CWS infection from your system.
Run LQfix.bat. If you get a warning about a script/batch file trying to run, please choose to allow it.
When finished, please restart your computer normally.
Now, download Hoster, unzip it, and then run the hoster.exe program file. Click Restore Original Hosts. Warning: This will restore your Hosts file to the original Microsoft configuration. If you were using a customized Hosts file, you will need to manually add any necessary entries.
Please run the ewido scan one more time to make sure it got everything and save the log.
Run HijackThis again, and post a fresh log for me to review, along with the new log from ewido. Also, please let me know if you had trouble completing any of the steps in this fix.
Logfile of HijackThis v1.99.1 Scan saved at 2:51:24 PM, on 6/26/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
After following those steps here are the results to my new scans; first the ewido scan:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 2:50:19 PM, 6/26/2005
+ Report-Checksum: 114592AA
+ Date of database: 6/26/2005
+ Version of scan engine: v3.0
+ Duration: 38 min
+ Scanned Files: 79548
+ Speed: 34.39 Files/Second
+ Infected files: 40
+ Removed files: 40
+ Files put in quarantine: 40
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\Documents and Settings\Trevor\Cookies\trevor@ads.addynamix[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@dcsd5wwin5twkfrzuk84u2yuc_4j4l[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@doubleclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@exitexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@mediaplex[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@overture[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@statse.webtrendslive[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@targetnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@www.eadexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@www.shopathomeselect[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\K7ZZMOXX\inst4[1].exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\K7ZZMOXX\pcs_0006[1].exe -> Spyware.Pacer.b -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\LIBS8Q0F\inst13[1].exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\VUGJZ9OD\inst7[1].exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\VUGJZ9OD\trk_0002[1].exe -> Spyware.Pacer -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\VUGJZ9OD\trk_0006[1].exe -> Spyware.Pacer -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\VUGJZ9OD\trk_0021[1].exe -> Spyware.Pacer.e -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\X3O4SL3B\trk_0009[1].exe -> Spyware.Pacer -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\ZV5SQGDX\My404[1].exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\ZV5SQGDX\website[1].ocx -> TrojanDownloader.Agent.ex -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099629.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099630.exe -> TrojanDownloader.Small.aly -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099631.exe -> TrojanDropper.Agent.hl -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099632.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099633.exe -> TrojanDownloader.Agent.ed -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099634.exe -> TrojanDownloader.Small.abd -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099635.exe -> TrojanDownloader.Apropo.ac -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099636.exe -> TrojanDropper.Agent.hl -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099637.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099638.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099639.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099640.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099641.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099642.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099671.exe -> TrojanDownloader.Small.aly -> Cleaned with backup
Everything seemed to go pretty well following your directions except that my computer will not let me remove Windows AFA Internet Enhancement. When i click to remove the program, the screen briefly blinks but nothing happens. Also, (i don't know if this is good or bad) i never found anything pertaining to taru.exe on my computer. Things seem to be doing much better on my system though, except my symantec antivirus has been picking up an unusually high number of viruses such as nimbda and sasser and quarentining them. Hopefully that won't let to more trouble. Let me know what you think about the new scans and thanks again for all your help so far!
Hi, Rovert122. We are making progress. You mentioned that Symantec is catching a lot of viruses (Nimda and Sasser) and quarantining them. It’s good that it’s finding them and stopping them from infecting your system. Can you tell me where they’re being found? Is it one particular location?
Your log is looking much better now, but we still have some things that don’t want to go away. Again, you will be starting your computer in Safe Mode later in the fix, so you will either want to print these instructions or save them to a file for reference.
Download CleanUp!, and then install it. We will use this later.
Download Killbox. Extract (unzip) it to its own folder. We will use this later.
Disconnect from the Internet... unplug the cable to your modem if need be.
Although you couldn’t remove it through Control Panel, it looks like Windows AFA Internet Enhancement is gone. I don’t see any sign of it in your log, so it’s probably just a ghost entry in your list. We can remove it with HijackThis.
Run HijackThis and click Open the Misc Tools section, then click Open Uninstall Manager. Scroll through the list to Windows AFA Internet Enhancement, click Delete this entry, and then Yes to confirm.
While still in HijackThis, click Back, then Scan and then check the box next to each of these items: (Note: If you have logged off or restarted your computer, the O2 item filename may have changed. Look for the CLSID 5483427F-93B8-1470-5A89-E6B56484CDB2 and fix that line, even if it shows a different filename.)
Now, close all open windows, including this one, and click Fix Checked.
Start Killbox. Put a check next to Delete on Reboot, then copy the line below into the Full Path of File to Delete box:
C:\WINDOWS\System32\bootpd.exe
Click the red and white Delete File button. Click Yes at the first prompt . Click No at the second prompt.
Repeat those same steps for this file:
C:\WINDOWS\System32\mahlap.exe
When you've finished, exit Killbox.
Restart your computer into Safe Mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml
Now, please run CleanUp! Click Options, and then set the slider to Custom CleanUp!. Please select the following options: Delete Cookies, Delete Prefetch files, Scan local drives for temporary files, and CleanUp! All Users. Now, click OK, and then click CleanUp!
Restart your computer normally.
Let’s run ewido one more time. Most of the infected files were in temp folders. The others are in your System Restore, but they’re locked up and can’t hurt anything at the moment. When you’re clean, we'll clean those out too and get you a fresh restore point.
Run HijackThis, and post a new log for me to review. How did it go? Any problems?
Logfile of HijackThis v1.99.1
Scan saved at 1:21:48 PM, on 6/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Things still seem to be going better than before on my computer. It does run a little sluggish but i don't know if that's due to the virus. As for the viruses that have been quarantined lately (the sasser, nimbda, trojan, bloodhound, and backdoor); by viewing symantec's history i see that they've been found in my system32, symantec norton antivirus, and temporary internet file folders. Symantec has quarantined over 90 in the past 3 days. Is there something i should do? Is there more i can do to prevent them from getting on my machine in the first place? Thanks!
Everything seemed to go smoothly with your directions. Here are the resulting scans...
Ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 1:20:56 PM, 6/27/2005
+ Report-Checksum: 5C11FB35
+ Date of database: 6/27/2005
+ Version of scan engine: v3.0
+ Duration: 37 min
+ Scanned Files: 72573
+ Speed: 32.57 Files/Second
+ Infected files: 1
+ Removed files: 1
+ Files put in quarantine: 1
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\Documents and Settings\Trevor\Cookies\trevor@overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
Hi, Rovert122. That one item just will not play nicely and go away. You will be starting your computer in Safe Mode later in the fix, so you'll want to either print these instructions or save them to a file for reference.
Yes, there are certainly things you can do to help prevent these trojans and viruses from infecting your system again, and we will discuss them. We need to get this one last baddie from your HijackThis log, and then we can concentrate on other things.
Please restart your computer into Safe Mode (continually tap the F8 key as your system start, selecting Safe Mode from the menu option.) For more information on Safe Mode, refer to this site: http://www.pchell.com/support/safemode.shtml
Open the Windows Task Manager (Ctrl-Alt-Delete) and stop the following process if running:
C:\WINDOWS\System32\mahlap.exe
Close Task Manager
Run HijackThis, click Do a system scan only, and check the box next to this item to have it fixed.
Now, close all open windows and click Fix Checked.
Start Killbox. Put a check next to Delete on Reboot, then type the line below into the Full Path of File to Delete box:
C:\WINDOWS\System32\mahlap.exe
Click the red and white Delete File button. Click Yes at the first prompt . Click No at the second prompt.
When you have finished, please restart your computer normally.
Download FindQoologic-Narrator. Extract (unzip) the files into their own folder. Browse to where you saved them. Double-click the Find-Qoologic2.bat file to run it. If you receive a warning that a script/batch file is attempting to run, please choose to allow it. A text file will open. Copy and paste the contents of the file into your reply along with a new HijackThis log please.
So, I'm having trouble with Windows Task Manager now. It will open, but what opens is not the full task manager but rather just an inner frame of it. I can see the list of running applications, and I have my buttons at the bottom for actions to take with those applications, but everything else around that is gone. The menus and the tabs up top are gone and so i can't switch from applications to processes or do anything else for that matter. Is there any way to restore Task Manager? Should I skip that step and go on with the rest of your instructions?
Hi, rovert122. I believe your Task Manager is running in what Microsoft calls Tiny Footprint Mode. Double-click the top border of the window to see if that restores Task Manager to its "regular" mode. If that solves the problem, please continue with the instructions from my previous post.
If you're still having trouble with Task Manager, please let me know.
markkhunt
12 Posts
0
June 24th, 2005 23:00
Hi, rovert122. Welcome to the forums.
I’m looking at your log now, and I’ll be back with some instructions after I’ve had time to research it. Thank you for your patience.
I am in training at Malware Removal University - You too could train to help others
markkhunt
12 Posts
0
June 25th, 2005 00:00
Hi, Rovert122. You have different types of infections, so let’s tackle the Nail (Aurora) infection first. I will have you restart your computer in Safe Mode a little later in the fix, which will prevent you from having access to the Internet, so I recommend you either print these instructions or save them to a file for reference.
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.
Now, restart your computer into Safe Mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml.
Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
Then please run Ewido, and run a full scan. Save the logfile from the scan.
Next please run HijackThis, click Scan, and check:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
Close all open windows except for HijackThis and click Fix Checked.
Restart your computer normally and please post a new HijackThis log, as well as the log from the Ewido scan.
I am in training at Malware Removal University - You too could train to help others
rovert122
18 Posts
0
June 25th, 2005 20:00
Scan saved at 4:20:55 PM, on 6/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HIJACK\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tntech.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O1 - Hosts: 66.180.173.39 www.google.ae
O1 - Hosts: 66.180.173.39 www.google.am
O1 - Hosts: 66.180.173.39 www.google.as
O1 - Hosts: 66.180.173.39 www.google.at
O1 - Hosts: 66.180.173.39 www.google.az
O1 - Hosts: 66.180.173.39 www.google.be
O1 - Hosts: 66.180.173.39 www.google.bi
O1 - Hosts: 66.180.173.39 www.google.ca
O1 - Hosts: 66.180.173.39 www.google.cd
O1 - Hosts: 66.180.173.39 www.google.cg
O1 - Hosts: 66.180.173.39 www.google.ch
O1 - Hosts: 66.180.173.39 www.google.ci
O1 - Hosts: 66.180.173.39 www.google.cl
O1 - Hosts: 66.180.173.39 www.google.co.cr
O1 - Hosts: 66.180.173.39 www.google.co.hu
O1 - Hosts: 66.180.173.39 www.google.co.il
O1 - Hosts: 66.180.173.39 www.google.co.in
O1 - Hosts: 66.180.173.39 www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.co.ke
O1 - Hosts: 66.180.173.39 www.google.co.kr
O1 - Hosts: 66.180.173.39 www.google.co.ls
O1 - Hosts: 66.180.173.39 www.google.co.nz
O1 - Hosts: 66.180.173.39 www.google.co.th
O1 - Hosts: 66.180.173.39 www.google.co.ug
O1 - Hosts: 66.180.173.39 www.google.co.uk
O1 - Hosts: 66.180.173.39 www.google.co.ve
O1 - Hosts: 66.180.173.39 www.google.com
O1 - Hosts: 66.180.173.39 www.google.com.ag
O1 - Hosts: 66.180.173.39 www.google.com.ar
O1 - Hosts: 66.180.173.39 www.google.com.au
O1 - Hosts: 66.180.173.39 www.google.com.br
O1 - Hosts: 66.180.173.39 www.google.com.co
O1 - Hosts: 66.180.173.39 www.google.com.cu
O1 - Hosts: 66.180.173.39 www.google.com.do
O1 - Hosts: 66.180.173.39 www.google.com.ec
O1 - Hosts: 66.180.173.39 www.google.com.fj
O1 - Hosts: 66.180.173.39 www.google.com.gi
O1 - Hosts: 66.180.173.39 www.google.com.gr
O1 - Hosts: 66.180.173.39 www.google.com.gt
O1 - Hosts: 66.180.173.39 www.google.com.hk
O1 - Hosts: 66.180.173.39 www.google.com.ly
O1 - Hosts: 66.180.173.39 www.google.com.mt
O1 - Hosts: 66.180.173.39 www.google.com.mx
O1 - Hosts: 66.180.173.39 www.google.com.my
O1 - Hosts: 66.180.173.39 www.google.com.na
O1 - Hosts: 66.180.173.39 www.google.com.nf
O1 - Hosts: 66.180.173.39 www.google.com.ni
O1 - Hosts: 66.180.173.39 www.google.com.np
O1 - Hosts: 66.180.173.39 www.google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pe
O1 - Hosts: 66.180.173.39 www.google.com.ph
O1 - Hosts: 66.180.173.39 www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.pr
O1 - Hosts: 66.180.173.39 www.google.com.py
O1 - Hosts: 66.180.173.39 www.google.com.sa
O1 - Hosts: 66.180.173.39 www.google.com.sg
O1 - Hosts: 66.180.173.39 www.google.com.sv
O1 - Hosts: 66.180.173.39 www.google.com.tr
O1 - Hosts: 66.180.173.39 www.google.com.tw
O1 - Hosts: 66.180.173.39 www.google.com.ua
O1 - Hosts: 66.180.173.39 www.google.com.uy
O1 - Hosts: 66.180.173.39 www.google.com.vc
O1 - Hosts: 66.180.173.39 www.google.com.vn
O1 - Hosts: 66.180.173.39 www.google.de
O1 - Hosts: 66.180.173.39 www.google.dj
O1 - Hosts: 66.180.173.39 www.google.dk
O1 - Hosts: 66.180.173.39 www.google.es
O1 - Hosts: 66.180.173.39 www.google.fi
O1 - Hosts: 66.180.173.39 www.google.fm
O1 - Hosts: 66.180.173.39 www.google.fr
O1 - Hosts: 66.180.173.39 www.google.gg
O1 - Hosts: 66.180.173.39 www.google.gl
O1 - Hosts: 66.180.173.39 www.google.gm
O1 - Hosts: 66.180.173.39 www.google.hn
O1 - Hosts: 66.180.173.39 www.google.ie
O1 - Hosts: 66.180.173.39 www.google.it
O1 - Hosts: 66.180.173.39 www.google.kz
O1 - Hosts: 66.180.173.39 www.google.li
O1 - Hosts: 66.180.173.39 www.google.lt
O1 - Hosts: 66.180.173.39 www.google.lu
O1 - Hosts: 66.180.173.39 www.google.lv
O1 - Hosts: 66.180.173.39 www.google.mn
O1 - Hosts: 66.180.173.39 www.google.ms
O1 - Hosts: 66.180.173.39 www.google.mu
O1 - Hosts: 66.180.173.39 www.google.mw
O1 - Hosts: 66.180.173.39 www.google.nl
O1 - Hosts: 66.180.173.39 www.google.no
O1 - Hosts: 66.180.173.39 www.google.off.ai
O1 - Hosts: 66.180.173.39 www.google.pl
O1 - Hosts: 66.180.173.39 www.google.pn
O1 - Hosts: 66.180.173.39 www.google.pt
O1 - Hosts: 66.180.173.39 www.google.ro
O1 - Hosts: 66.180.173.39 www.google.ru
O1 - Hosts: 66.180.173.39 www.google.rw
O1 - Hosts: 66.180.173.39 www.google.se
O1 - Hosts: 66.180.173.39 www.google.sh
O1 - Hosts: 66.180.173.39 www.google.sk
O1 - Hosts: 66.180.173.39 www.google.sm
O1 - Hosts: 66.180.173.39 www.google.td
O1 - Hosts: 66.180.173.39 www.google.tm
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O2 - BHO: (no name) - {5483427F-93B8-1470-5A89-E6B56484CDB2} - C:\DOCUME~1\Trevor\LOCALS~1\Temp\sxufsfytels.dll (file missing)
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\mahlap.exe reg_run
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\System32\scrsvc.exe
O4 - HKLM\..\Run: [bootpd.exe] C:\WINDOWS\System32\bootpd.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: taru.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
rovert122
18 Posts
0
June 25th, 2005 20:00
ewido security suite - Scan report
---------------------------------------------------------
+ Report-Checksum: 2F5930BA
+ Version of scan engine: v3.0
+ Scanned Files: 79043
+ Speed: 26.93 Files/Second
+ Infected files: 54
+ Removed files: 54
+ Files put in quarantine: 54
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Crypter: Yes
+ Archives: Yes
C:\
C:\Documents and Settings\Trevor\Cookies\trevor@overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\BRXF7HKG\My404[1].exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099573.exe -> TrojanDownloader.Apropo.g -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099574.exe -> TrojanDownloader.Agent.qg -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099575.exe -> Spyware.Gator -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099576.exe -> Spyware.Gator -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099577.dll -> Spyware.WinAD.ag -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099578.exe -> Spyware.WinAD.am -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099579.exe -> Spyware.WinAD -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099580.DLL -> Spyware.MyWay.j -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099581.EXE -> Spyware.MyWay.j -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099582.dll -> Spyware.SmartPops -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099583.exe -> Spyware.SmartPops -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099584.exe -> Spyware.WeirWeb -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099585.exe -> TrojanDownloader.Small.akz -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099586.dll -> Spyware.BookedSpace.e -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099587.dll -> Spyware.EliteBar.af -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099588.exe -> Spyware.BookedSpace.e -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099589.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099590.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099591.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099592.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099593.exe -> TrojanDownloader.Small.ayh -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099594.exe -> Spyware.Apropos -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099595.exe -> TrojanDownloader.Agent.qg -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099596.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099597.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099598.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099599.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099600.exe -> TrojanDownloader.Small.abd -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099601.vxd -> Spyware.MediaPass -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099602.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099603.dll -> Spyware.HotSearchBar -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099604.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099605.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099606.cpl -> TrojanDownloader.Qoologic.p -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099607.dll -> TrojanDownloader.Qoologic.p -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099608.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099609.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099618.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\My404.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM\QB.exe -> TrojanDownloader.Small.aly -> Cleaned with backup
C:\WINDOWS\SYSTEM32\uci.exe -> TrojanDropper.Agent.hl -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vtdqgf.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\SYSTEM32\wei0_qcx.exe -> TrojanDownloader.Agent.ed -> Cleaned with backup
C:\WINDOWS\SYSTEM32\wintask.exe -> TrojanDownloader.Small.abd -> Cleaned with backup
C:\WINDOWS\SYSTEM32\wldpserv.exe -> TrojanDownloader.Apropo.ac -> Cleaned with backup
C:\WINDOWS\SYSTEM32\wrapperouter.exe -> TrojanDropper.Agent.hl -> Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\vybzmwguwfq.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
::Report End
markkhunt
12 Posts
0
June 26th, 2005 15:00
Hi, Rovert122. It looks like the nail infection is gone, so let’s get started on the rest. You will be starting your computer in Safe Mode later in the fix, which will prevent you from accessing the Internet, so I recommend you either print these instructions or save them to a file for reference.
Download CWShredder. Save it to your desktop, run it, and then click Check For Update. After obtaining any updates, close CWShredder. We will run a scan with it later in Safe Mode.
Download miekiemoes' LQfix batch. Unzip it to your desktop but do NOT run it yet. We will use it later in Safe Mode.
Please download the Ie.Plugin from Symantec and save it to your desktop. Now, please double-click the removal tool to remove the IE.Plugin from your system.
You need to remove the following programs (if present) from Add/Remove Programs in the Windows Control Panel:
Weatherbug
Windows AFA Internet Enhancement
The older versions of Weatherbug came bundled with spyware. If this is something you use, you may download the newest version, which is reportedly free of spyware, after your system is clean.
I would advise you to also remove Viewpoint Manager through Add/Remove Programs. Many experts feel this program is borderline spyware and should be removed, but the debate is ongoing. I will leave the decision up to you.
Restart your computer.
Run HijackThis and click Do a system scan only and check the box next to each of these items. Running the Symantec Removal Tool and removing some programs may have taken care of some of these items, so don’t worry if something isn’t there.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O2 - BHO: (no name) - {5483427F-93B8-1470-5A89-E6B56484CDB2} - C:\DOCUME~1\Trevor\LOCALS~1\Temp\sxufsfytels.dll (file missing)
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\mahlap.exe reg_run
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\System32\scrsvc.exe
O4 - HKLM\..\Run: [bootpd.exe] C:\WINDOWS\System32\bootpd.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: taru.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
If you chose to remove Viewpoint Manager, also check this item to have it fixed (if still present):
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Close all open windows, including this one, and click Fix Checked.
We need to make sure you can see all files, including hidden and system files. Please click Start => My Computer. On the menu bar select Tools => Folder Options, and then select the View tab. Under the Hidden files and folders heading, please make sure Show hidden files and folders is checked and Hide protected operating system files (recommended) is unchecked. Click Yes to confirm, and then click OK.
Now, restart your computer into Safe Mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml
Using Windows Explorer, please delete the following files (shown below in red) if still present:
C:\counter.cab
C:\WINDOWS\VCMnet11.exe
C:\Windows\words.lst
C:\WINDOWS\wupdt.exe
C:\WINDOWS\System32\bootpd.exe
C:\WINDOWS\System32\mahlap.exe
C:\WINDOWS\System32\PSof1.exe
C:\WINDOWS\System32\scrsvc.exe
Using Windows Explorer, please delete the following folders (shown below in red) if still present:
C:\Program Files\AWS\
C:\Program Files\Cas\
C:\Program Files\Srng\
C:\WINDOWS\EliteToolBar\
If you chose to remove Viewpoint Manager, please delete this folder also if still present:
C:\Program Files\Viewpoint\
You will need to search for the last file that needs to be deleted. Please click Start => Search => All files and folders. In the All or part of the file name: box, type taru.exe. Make sure the Look in: box is set to search your C: drive, and then click Search. When the search has been completed, please delete every instance of the taru.exe file found.
Please run CWShredder and click Fix to remove the CWS infection from your system.
Run LQfix.bat. If you get a warning about a script/batch file trying to run, please choose to allow it.
When finished, please restart your computer normally.
Now, download Hoster, unzip it, and then run the hoster.exe program file. Click Restore Original Hosts. Warning: This will restore your Hosts file to the original Microsoft configuration. If you were using a customized Hosts file, you will need to manually add any necessary entries.
Please run the ewido scan one more time to make sure it got everything and save the log.
Run HijackThis again, and post a fresh log for me to review, along with the new log from ewido. Also, please let me know if you had trouble completing any of the steps in this fix.
I am in training at Malware Removal University - You too could train to help others
Message Edited by markkhunt on 06-26-2005 11:28 AM
rovert122
18 Posts
0
June 26th, 2005 18:00
Now the HJT scan results:
Logfile of HijackThis v1.99.1
Scan saved at 2:51:24 PM, on 6/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\mahlap.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HIJACK\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tntech.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: (no name) - {5483427F-93B8-1470-5A89-E6B56484CDB2} - C:\DOCUME~1\Trevor\LOCALS~1\Temp\dyxqrsfmdod.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [bootpd.exe] C:\WINDOWS\System32\bootpd.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\mahlap.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
rovert122
18 Posts
0
June 26th, 2005 18:00
ewido security suite - Scan report
---------------------------------------------------------
+ Report-Checksum: 114592AA
+ Version of scan engine: v3.0
+ Scanned Files: 79548
+ Speed: 34.39 Files/Second
+ Infected files: 40
+ Removed files: 40
+ Files put in quarantine: 40
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Crypter: Yes
+ Archives: Yes
C:\
C:\Documents and Settings\Trevor\Cookies\trevor@ads.addynamix[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@dcsd5wwin5twkfrzuk84u2yuc_4j4l[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@doubleclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@exitexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@mediaplex[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@overture[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@statse.webtrendslive[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@targetnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@www.eadexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@www.shopathomeselect[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Cookies\trevor@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\K7ZZMOXX\inst4[1].exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\K7ZZMOXX\pcs_0006[1].exe -> Spyware.Pacer.b -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\LIBS8Q0F\inst13[1].exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\VUGJZ9OD\inst7[1].exe -> TrojanDownloader.Small.apm -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\VUGJZ9OD\trk_0002[1].exe -> Spyware.Pacer -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\VUGJZ9OD\trk_0006[1].exe -> Spyware.Pacer -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\VUGJZ9OD\trk_0021[1].exe -> Spyware.Pacer.e -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\X3O4SL3B\trk_0009[1].exe -> Spyware.Pacer -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\ZV5SQGDX\My404[1].exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\ZV5SQGDX\website[1].ocx -> TrojanDownloader.Agent.ex -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099629.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099630.exe -> TrojanDownloader.Small.aly -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099631.exe -> TrojanDropper.Agent.hl -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099632.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099633.exe -> TrojanDownloader.Agent.ed -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099634.exe -> TrojanDownloader.Small.abd -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099635.exe -> TrojanDownloader.Apropo.ac -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099636.exe -> TrojanDropper.Agent.hl -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099637.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099638.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099639.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099640.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099641.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099642.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP367\A0099671.exe -> TrojanDownloader.Small.aly -> Cleaned with backup
::Report End
rovert122
18 Posts
0
June 26th, 2005 19:00
markkhunt
12 Posts
0
June 26th, 2005 23:00
Hi, Rovert122. We are making progress. You mentioned that Symantec is catching a lot of viruses (Nimda and Sasser) and quarantining them. It’s good that it’s finding them and stopping them from infecting your system. Can you tell me where they’re being found? Is it one particular location?
Your log is looking much better now, but we still have some things that don’t want to go away. Again, you will be starting your computer in Safe Mode later in the fix, so you will either want to print these instructions or save them to a file for reference.
Download CleanUp!, and then install it. We will use this later.
Download Killbox. Extract (unzip) it to its own folder. We will use this later.
Disconnect from the Internet... unplug the cable to your modem if need be.
Although you couldn’t remove it through Control Panel, it looks like Windows AFA Internet Enhancement is gone. I don’t see any sign of it in your log, so it’s probably just a ghost entry in your list. We can remove it with HijackThis.
Run HijackThis and click Open the Misc Tools section, then click Open Uninstall Manager. Scroll through the list to Windows AFA Internet Enhancement, click Delete this entry, and then Yes to confirm.
While still in HijackThis, click Back, then Scan and then check the box next to each of these items: (Note: If you have logged off or restarted your computer, the O2 item filename may have changed. Look for the CLSID 5483427F-93B8-1470-5A89-E6B56484CDB2 and fix that line, even if it shows a different filename.)
O2 - BHO: (no name) - {5483427F-93B8-1470-5A89-E6B56484CDB2} - C:\DOCUME~1\Trevor\LOCALS~1\Temp\dyxqrsfmdod.dll (file missing)
O4 - HKLM\..\Run: [bootpd.exe] C:\WINDOWS\System32\bootpd.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\mahlap.exe reg_run
Now, close all open windows, including this one, and click Fix Checked.
Start Killbox. Put a check next to Delete on Reboot, then copy the line below into the Full Path of File to Delete box:
C:\WINDOWS\System32\bootpd.exe
Click the red and white Delete File button.
Click Yes at the first prompt .
Click No at the second prompt.
Repeat those same steps for this file:
C:\WINDOWS\System32\mahlap.exe
When you've finished, exit Killbox.
Restart your computer into Safe Mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml
Now, please run CleanUp! Click Options, and then set the slider to Custom CleanUp!. Please select the following options: Delete Cookies, Delete Prefetch files, Scan local drives for temporary files, and CleanUp! All Users. Now, click OK, and then click CleanUp!
Restart your computer normally.
Let’s run ewido one more time. Most of the infected files were in temp folders. The others are in your System Restore, but they’re locked up and can’t hurt anything at the moment. When you’re clean, we'll clean those out too and get you a fresh restore point.
Run HijackThis, and post a new log for me to review. How did it go? Any problems?
I am in training at Malware Removal University - You too could train to help others
rovert122
18 Posts
0
June 27th, 2005 17:00
Scan saved at 1:21:48 PM, on 6/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\mahlap.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HIJACK\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tntech.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\mahlap.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
rovert122
18 Posts
0
June 27th, 2005 17:00
rovert122
18 Posts
0
June 27th, 2005 17:00
ewido security suite - Scan report
---------------------------------------------------------
+ Report-Checksum: 5C11FB35
+ Version of scan engine: v3.0
+ Scanned Files: 72573
+ Speed: 32.57 Files/Second
+ Infected files: 1
+ Removed files: 1
+ Files put in quarantine: 1
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Crypter: Yes
+ Archives: Yes
C:\
C:\Documents and Settings\Trevor\Cookies\trevor@overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
::Report End
markkhunt
12 Posts
0
June 27th, 2005 21:00
Hi, Rovert122. That one item just will not play nicely and go away. You will be starting your computer in Safe Mode later in the fix, so you'll want to either print these instructions or save them to a file for reference.
Yes, there are certainly things you can do to help prevent these trojans and viruses from infecting your system again, and we will discuss them. We need to get this one last baddie from your HijackThis log, and then we can concentrate on other things.
Please restart your computer into Safe Mode (continually tap the F8 key as your system start, selecting Safe Mode from the menu option.) For more information on Safe Mode, refer to this site: http://www.pchell.com/support/safemode.shtml
Open the Windows Task Manager (Ctrl-Alt-Delete) and stop the following process if running:
C:\WINDOWS\System32\mahlap.exe
Close Task Manager
Run HijackThis, click Do a system scan only, and check the box next to this item to have it fixed.
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\mahlap.exe reg_run
Now, close all open windows and click Fix Checked.
Start Killbox. Put a check next to Delete on Reboot, then type the line below into the Full Path of File to Delete box:
C:\WINDOWS\System32\mahlap.exe
Click the red and white Delete File button.
Click Yes at the first prompt .
Click No at the second prompt.
When you have finished, please restart your computer normally.
Download FindQoologic-Narrator. Extract (unzip) the files into their own folder. Browse to where you saved them. Double-click the Find-Qoologic2.bat file to run it. If you receive a warning that a script/batch file is attempting to run, please choose to allow it. A text file will open. Copy and paste the contents of the file into your reply along with a new HijackThis log please.
I am in training at Malware Removal University - You too could train to help others
rovert122
18 Posts
0
June 28th, 2005 17:00
markkhunt
12 Posts
0
June 28th, 2005 18:00
Hi, rovert122. I believe your Task Manager is running in what Microsoft calls Tiny Footprint Mode. Double-click the top border of the window to see if that restores Task Manager to its "regular" mode. If that solves the problem, please continue with the instructions from my previous post.
If you're still having trouble with Task Manager, please let me know.
I am in training at Malware Removal University - You too could train to help others.