I hate nowfind.biz!!

Frostie_9 · 04-19-2005, 02:59 AM

Hallo

This is my parents computer and they have a problem with Nowfind.biz.
It's taking over the homepage. I tried to delete this, but it doesn't work.
Please can you help me?
This is my logfile:

Logfile of HijackThis v1.99.1
Scan saved at 10:44:17, on 19/04/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\bellen\Skype\Phone\Skype.exe
c:\windows\system32\hzudth.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Anti-Spyware\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [rtpbvt] c:\windows\system32\hzudth.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\Program Files\spyware\freescan.exe -FastScan
O4 - HKCU\..\Run: [Skype] "C:\Program Files\bellen\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url=
O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

kworley517 · 04-19-2005, 07:01 AM

Hello Frostie_9 and welcome to TSF...

In order to assist you better, we recommend that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Download Silent Runners http://www.silentrunners.org/Silent%20Runners.vbs. Make sure you have any script blocking software disabled
2. Run the program. It will take a few minutes to complete.
3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post.

Download and unzip
http://castlecops.com/zx/Zupe/Find%20It%20NT-2K-XP.zip
Double-click on find.bat inside the folder to run it. It should run for a while, then open a text document. Please copy and paste the contents of that document here

Frostie_9 · 04-22-2005, 04:39 AM

Hello kworley 517

I followed the procedure and this is the result:

"Silent Runners.vbs", revision 35, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"Spyware Begone" = "C:\Program Files\spyware\freescan.exe -FastScan" [file not found]
"Skype" = ""C:\Program Files\bellen\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"tapisys" = "C:\WINDOWS\System32\tss.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"tapisys" = "C:\WINDOWS\System32\tss.exe" [file not found]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" [file not found]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [file not found]
"xrbtuh" = "c:\windows\system32\gznbnu.exe" ["TODO: <Company name>"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{302A3240-4805-4a34-97D7-1645A0B08410}\(Default) = "BolgerObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\Bolger.dll" ["Bolger"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Configuratiescherm-uitbreiding Beeldscherm-panning"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal-pictogramuitbreiding"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

The program castlecops (find.bat) can not find the wright pad!!
What now??

greyknight17 · 04-22-2005, 11:07 AM

What do you mean? You mean it can't find the right path? OK, try using this program:

Download DllCompare http://www.greyknight17.com/spy/DllCompare.exe and run it. Click on the 'Locate.com' button. Wait a few seconds and then click on the 'Compare' button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running DllCompare.

Frostie_9 · 04-24-2005, 11:32 AM

Hello greyknight17

I run dllcompare.exe and this is the result:

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1.136 items found: 1.136 files, 0 directories.
Total of file sizes: 191.315.671 bytes 182,45 M

Administrator Account = True

--------------------End log---------------------

Thanks for helping me!!

MicroBell · 04-24-2005, 05:25 PM

Frostie_9:

Please locate the following files. You may not have them all and they may be named slighty different then what I posted. Locate the ones you have and post their directorys..

C:\windows\system32\cidft.dll
C:\windows\system32\cidpog32.dll
C:\windows\system32\gupd.dll
C:\windows\system32\hst32.dll
C:\WINDOWS\System32\cidpoq32.dll
C:\WINDOWS\System32\nthst32.dll
C:\windows\system32\icnfe.dll
C:\windows\system32\icqrt.dll
C:\windows\system32\icvbr.dll
C:\windows\system32\sdfup.dll
C:\windows\system32\wcnl32.dll
C:\windows\system32\wecxg32.dll
C:\windows\system32\wirl.dll
C:\windows\system32\xcwer32.dll
C:\windows\system32\zxmsn.dll
C:\windows\system32\thun.dll
C:\WINDOWS\System32\thun32.dll
C:\windows\system32\rch32.dll
C:\Program Files\asd.hta
C:\windows\system32\w32tm.exe
C:\windows\system32\103a.exe
1.exe
pps.exe
103a.exe

I also need a log from the following tool...

Download FindIt's.zip to your desktop: http://forums.net-integration.net/in...post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
3. Then post the results here please, along with the new HijackThis log.

greyknight17 · 04-24-2005, 05:29 PM

What problems are you having running that Find It program? We will need you to run Find It to fix this problem. You have multiple infections here and it will definitely take more than one try to fix it up. So we need to get that Find It program working.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Spyware Begone or freescan

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKLM\..\Run: [rtpbvt] c:\windows\system32\hzudth.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\Program Files\spyware\freescan.exe -FastScan
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url=
O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\Nail.exe
C:\WINDOWS\Bolger.dll
C:\WINDOWS\System32\tss.exe
c:\windows\system32\hzudth.exe
C:\Program Files\spyware\

OK, can you find any of the files listed below?

C:\windows\system32\cidft.dll
C:\windows\system32\cidpog32.dll
C:\windows\system32\gupd.dll
C:\windows\system32\hst32.dll
C:\WINDOWS\System32\cidpoq32.dll
C:\WINDOWS\System32\nthst32.dll
C:\windows\system32\icnfe.dll
C:\windows\system32\icqrt.dll
C:\windows\system32\icvbr.dll
C:\windows\system32\sdfup.dll
C:\windows\system32\wcnl32.dll
C:\windows\system32\wecxg32.dll
C:\windows\system32\wirl.dll
C:\windows\system32\xcwer32.dll
C:\windows\system32\zxmsn.dll
C:\windows\system32\thun.dll
C:\WINDOWS\System32\thun32.dll
C:\windows\system32\rch32.dll
C:\Program Files\asd.hta
C:\windows\system32\w32tm.exe
C:\windows\system32\103a.exe

If you can, see if you can find any similar filenames (it may not be exactly the same filenames I listed above) that were created around the same date as those above files.

Reboot into Normal Mode run a new HijackThis scan. Save the log file and run KRC HijackThis Analyzer http://www.greyknight17.com/spy/KRC%...20Analyzer.zip in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply.

Frostie_9 · 04-26-2005, 01:52 AM

Hello Microbel

I found following files:

C:\windows\system32\cidft.dll
C:\windows\system32\cidpog32.dll
C:\windows\system32\gupd.dll
C:\windows\system32\hst32.dll
C:\WINDOWS\System32\cidpoq32.dll
C:\windows\system32\icnfe.dll
C:\windows\system32\icqrt.dll
C:\windows\system32\icvbr.dll
C:\windows\system32\sdfup.dll
C:\windows\system32\wcnl32.dll
C:\windows\system32\wecxg32.dll
C:\windows\system32\wirl.dll
C:\windows\system32\xcwer32.dll
C:\windows\system32\zxmsn.dll
C:\windows\system32\thun.dll
C:\WINDOWS\System32\thun32.dll
C:\windows\system32\rch32.dll
C:\Program Files\asd.hta
C:\windows\system32\w32tm.exe

This is the result of FindIt's:

Microsoft Windows XP [versie 5.1.2600]
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»» Checking Windir\svcproc.exe and nail.exe.

svcproc.exe
Nail.exe
»»»»» Checking for System32\DrPMon.dll.

DrPMon.dll
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Het volume in station C heeft geen naam.
Het volumenummer is 4039-8EF0

Map van C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Het volume in station C heeft geen naam.
Het volumenummer is 4039-8EF0

Map van C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»».

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Bolger

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
<geen naam> REG_SZ Bolger Functional Class

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410}
<geen naam> REG_SZ BolgerObj Class

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

Logfile of HijackThis v1.99.1
Scan saved at 9:46:42, on 26/04/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\bellen\Skype\Phone\Skype.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
c:\windows\system32\vmbpec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Anti-Spyware\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ivxqnb] c:\windows\system32\vmbpec.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\Program Files\spyware\freescan.exe -FastScan
O4 - HKCU\..\Run: [Skype] "C:\Program Files\bellen\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url=
O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Frostie_9 · 04-26-2005, 02:33 AM

Hello greyknight17

I followed the procedure and get this result:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:04:51, on 26/04/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
c:\windows\system32\jeodfbs.exe
C:\Program Files\Anti-Spyware\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKLM\..\Run: [cytmuu] c:\windows\system32\jeodfbs.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\Program Files\spyware\freescan.exe -FastScan
O4 - HKCU\..\Run: [Skype] "C:\Program Files\bellen\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url=
O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

End of KRC HijackThis Analyzer Log.
====================================================================

I hope you can help me, because it doesn't look easy.
Thanks a lot!!

MicroBell · 04-26-2005, 03:28 PM

Please print these instructions out so you can follow along as you'll have no internet access during the fix...

Download ewido security suite from here… http://www.ewido.net/en/download/

Update it’s database from here.. http://www.ewido.net/en/download/updates/
Run a scan and let it clean the PC.

Download KillBox http://www.atribune.org/downloads/KillBox.exe
Download and install CleanUp http://cleanup.stevengould.org/

Download DelDomains.inf
Right-click and select..... Save Target As

To use: Right-click and select....... Install (no need to restart)
**Note** This will remove all entries in the "Trusted Zone"

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn ON System Restore. Once your clean we will turn this off and then create a new restore point.

Close out all open windows and disconnect the PC from any internet access.

1. Go to Start->Run and type Services.msc then hit Ok

Scroll down and find the service called: System Startup Service (SvcProc)
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

2. Run the cleanup utility and when prompted to reboot/logoff select NO

3. Open your clipboard viewer. Copy the list below of paths & filenames to the clipboard. Then highlight them all by pressing Control-C Run KILLBOX and select the "Delete on Reboot" box....and the click on File..then "Paste from clipboard" Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt

C:\Windows\System32\svcproc.exe
C:\Windows\System32\ Nail.exe
C:\windows\system32\cidft.dll
C:\windows\system32\cidpog32.dll
C:\windows\system32\gupd.dll
C:\windows\system32\hst32.dll
C:\WINDOWS\System32\cidpoq32.dll
C:\windows\system32\icnfe.dll
C:\windows\system32\icqrt.dll
C:\windows\system32\icvbr.dll
C:\windows\system32\sdfup.dll
C:\windows\system32\wcnl32.dll
C:\windows\system32\wecxg32.dll
C:\windows\system32\wirl.dll
C:\windows\system32\xcwer32.dll
C:\windows\system32\zxmsn.dll
C:\windows\system32\thun.dll
C:\WINDOWS\System32\thun32.dll
C:\windows\system32\rch32.dll
C:\Program Files\asd.hta
C:\WINDOWS\Bolger.dll
C:\windows\system32\w32tm.exe
C:\WINDOWS\System32\tss.exe
C:\WINDOWS\System32\DrPMon.dll
c:\windows\system32\jeodfbs.exe

4. Now, click on Start, then Run ... type cmd and press "OK".

In the next box that opens, type cd\
and press "Enter". Now you'll see the C: prompt ... looks like this: C:\>

Type cd\windows
and then Enter.

Next, type nail.exe /FullRemove
(make sure there is a space between nail.exe and the /) ... then Enter.

5. Now run hijackthis and fix the following entrys.....

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php
R3 - URLSearchHook: (no name) - {FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKLM\..\Run: [cytmuu] c:\windows\system32\jeodfbs.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\Program Files\spyware\freescan.exe -FastScan
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url=
O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

6. Reboot the PC. Run hijackthis again and fix any leftover nowfind.biz entrys and then post another FindIt’s log and hijackthis log.

Frostie_9 · 04-28-2005, 04:01 AM

Hello Microbell

I followed the procedure and had a problem with this:
c:\windows>nail.exe /fullRemove --> my computer doesn't recognize nail.exe
Also in the Hijackthis, he can't find F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Here are the logs:

Microsoft Windows XP [versie 5.1.2600]
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Het volume in station C heeft geen naam.
Het volumenummer is 4039-8EF0

Map van C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Het volume in station C heeft geen naam.
Het volumenummer is 4039-8EF0

Map van C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»».

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Bolger

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
<geen naam> REG_SZ Bolger Functional Class

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

Logfile of HijackThis v1.99.1
Scan saved at 11:46:57, on 28/04/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\bellen\Skype\Phone\Skype.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Anti-Spyware\Ewido\security suite\ewidoctrl.exe
C:\Program Files\Anti-Spyware\Ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\MsiExec.exe
C:\Program Files\Anti-Spyware\Hijack This\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\bellen\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Anti-Spyware\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Anti-Spyware\Ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Thanks for your help!!!

MicroBell · 04-28-2005, 07:25 PM

Few more cleanup items....

Click start...run..type in regedit. Navigate to each of the following keys and remove the file/folder/entry in BOLD if listed...

HKEY_CURRENT_USER\Software\aurora

HKEY_CURRENT_USER\Software\Bolger

HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
<geen naam> REG_SZ Bolger Functional Class

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\
ZepMon
Driver REG_SZ DrPMon.dll

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

Your logs are clean. Any more issues? If not you should be good to go. Please install the latest service packs and security updates for both XP and IE6.

Please read through the spyware prevention section on how to protect yourself from spyware/adware Here and use the recommend programs and methods to protect yourself!

Frostie_9 · 05-02-2005, 08:35 AM

Hi Microbell

It's true, my logs are clean!!
Thank you very much for helping me!
You did a great job, keep going to help people!
Now I will protect my computer and I hope it never comes back.

Thanks a lot.

Frostie_9

04-19-2005, 02:59 AM	#1 (permalink)
Frostie_9 Registered User Join Date: Apr 2005 Posts: 7 OS: WinXP	I hate nowfind.biz!! Hallo This is my parents computer and they have a problem with Nowfind.biz. It's taking over the homepage. I tried to delete this, but it doesn't work. Please can you help me? This is my logfile: Logfile of HijackThis v1.99.1 Scan saved at 10:44:17, on 19/04/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\bellen\Skype\Phone\Skype.exe c:\windows\system32\hzudth.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe c:\Program Files\interMute\SpySubtract\SpySub.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Anti-Spyware\Hijack This\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen R3 - URLSearchHook: (no name) - {FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file) F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O1 - Hosts: auto.search.msn.com 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [rtpbvt] c:\windows\system32\hzudth.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Spyware Begone] C:\Program Files\spyware\freescan.exe -FastScan O4 - HKCU\..\Run: [Skype] "C:\Program Files\bellen\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url= O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url= O13 - Home Prefix: http://103.nowfind.biz/gall.php?url= O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url= O15 - Trusted Zone: .awmdabest.com O15 - Trusted Zone: .frame.crazywinnings.com O15 - Trusted Zone: .awmdabest.com (HKLM) O15 - Trusted Zone: .frame.crazywinnings.com (HKLM) O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing) O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

04-19-2005, 07:01 AM	#2 (permalink)
kworley517 Analyst, Security Team Join Date: Feb 2005 Location: South Florida Posts: 538 OS: XP Pro	Hello Frostie_9 and welcome to TSF... In order to assist you better, we recommend that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". Download Silent Runners http://www.silentrunners.org/Silent%20Runners.vbs. Make sure you have any script blocking software disabled 2. Run the program. It will take a few minutes to complete. 3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post. Download and unzip http://castlecops.com/zx/Zupe/Find%20It%20NT-2K-XP.zip Double-click on find.bat inside the folder to run it. It should run for a while, then open a text document. Please copy and paste the contents of that document here __________________

04-22-2005, 11:07 AM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	What do you mean? You mean it can't find the right path? OK, try using this program: Download DllCompare http://www.greyknight17.com/spy/DllCompare.exe and run it. Click on the 'Locate.com' button. Wait a few seconds and then click on the 'Compare' button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running DllCompare. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-24-2005, 05:25 PM	#6 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Frostie_9: Please locate the following files. You may not have them all and they may be named slighty different then what I posted. Locate the ones you have and post their directorys.. C:\windows\system32\cidft.dll C:\windows\system32\cidpog32.dll C:\windows\system32\gupd.dll C:\windows\system32\hst32.dll C:\WINDOWS\System32\cidpoq32.dll C:\WINDOWS\System32\nthst32.dll C:\windows\system32\icnfe.dll C:\windows\system32\icqrt.dll C:\windows\system32\icvbr.dll C:\windows\system32\sdfup.dll C:\windows\system32\wcnl32.dll C:\windows\system32\wecxg32.dll C:\windows\system32\wirl.dll C:\windows\system32\xcwer32.dll C:\windows\system32\zxmsn.dll C:\windows\system32\thun.dll C:\WINDOWS\System32\thun32.dll C:\windows\system32\rch32.dll C:\Program Files\asd.hta C:\windows\system32\w32tm.exe C:\windows\system32\103a.exe 1.exe pps.exe 103a.exe I also need a log from the following tool... Download FindIt's.zip to your desktop: http://forums.net-integration.net/in...post&id=142443 1. Unzip/extract the files inside to a folder on your desktop. 2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ... 3. Then post the results here please, along with the new HijackThis log. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

04-24-2005, 05:29 PM	#7 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	What problems are you having running that Find It program? We will need you to run Find It to fix this problem. You have multiple infections here and it will definitely take more than one try to fix it up. So we need to get that Find It program working. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Spyware Begone or freescan Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen R3 - URLSearchHook: (no name) - {FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file) F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O1 - Hosts: auto.search.msn.com 127.0.0.1 O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe O4 - HKLM\..\Run: [rtpbvt] c:\windows\system32\hzudth.exe O4 - HKCU\..\Run: [Spyware Begone] C:\Program Files\spyware\freescan.exe -FastScan O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url= O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url= O13 - Home Prefix: http://103.nowfind.biz/gall.php?url= O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url= O15 - Trusted Zone: .awmdabest.com O15 - Trusted Zone: .frame.crazywinnings.com O15 - Trusted Zone: .awmdabest.com (HKLM) O15 - Trusted Zone: .frame.crazywinnings.com (HKLM) O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM) O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\Nail.exe C:\WINDOWS\Bolger.dll C:\WINDOWS\System32\tss.exe c:\windows\system32\hzudth.exe C:\Program Files\spyware\ OK, can you find any of the files listed below? C:\windows\system32\cidft.dll C:\windows\system32\cidpog32.dll C:\windows\system32\gupd.dll C:\windows\system32\hst32.dll C:\WINDOWS\System32\cidpoq32.dll C:\WINDOWS\System32\nthst32.dll C:\windows\system32\icnfe.dll C:\windows\system32\icqrt.dll C:\windows\system32\icvbr.dll C:\windows\system32\sdfup.dll C:\windows\system32\wcnl32.dll C:\windows\system32\wecxg32.dll C:\windows\system32\wirl.dll C:\windows\system32\xcwer32.dll C:\windows\system32\zxmsn.dll C:\windows\system32\thun.dll C:\WINDOWS\System32\thun32.dll C:\windows\system32\rch32.dll C:\Program Files\asd.hta C:\windows\system32\w32tm.exe C:\windows\system32\103a.exe If you can, see if you can find any similar filenames (it may not be exactly the same filenames I listed above) that were created around the same date as those above files. Reboot into Normal Mode run a new HijackThis scan. Save the log file and run KRC HijackThis Analyzer http://www.greyknight17.com/spy/KRC%...20Analyzer.zip in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-22-2005, 04:39 AM	#3 (permalink)
Frostie_9 Registered User Join Date: Apr 2005 Posts: 7 OS: WinXP	Hello kworley 517 I followed the procedure and this is the result: "Silent Runners.vbs", revision 35, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS] "Spyware Begone" = "C:\Program Files\spyware\freescan.exe -FastScan" [file not found] "Skype" = ""C:\Program Files\bellen\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."] "tapisys" = "C:\WINDOWS\System32\tss.exe" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "tapisys" = "C:\WINDOWS\System32\tss.exe" [file not found] "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" [file not found] "AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [file not found] "xrbtuh" = "c:\windows\system32\gznbnu.exe" ["TODO: <Company name>"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {302A3240-4805-4a34-97D7-1645A0B08410}\(Default) = "BolgerObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\Bolger.dll" ["Bolger"] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Configuratiescherm-uitbreiding Beeldscherm-panning" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal-pictogramuitbreiding" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] The program castlecops (find.bat) can not find the wright pad!! What now??

04-24-2005, 11:32 AM	#5 (permalink)
Frostie_9 Registered User Join Date: Apr 2005 Posts: 7 OS: WinXP	Hello greyknight17 I run dllcompare.exe and this is the result: * DLLCompare Log version(1.0.0.125) Files Found that Windows does not See or cannot Access *Not everything listed here means you are infected! ________________________________________________ O^E says: "There were no files found :)" ________________________________________________ 1.136 items found: 1.136 files, 0 directories. Total of file sizes: 191.315.671 bytes 182,45 M Administrator Account = True --------------------End log--------------------- Thanks for helping me!!

04-26-2005, 01:52 AM	#8 (permalink)
Frostie_9 Registered User Join Date: Apr 2005 Posts: 7 OS: WinXP	Hello Microbel I found following files: C:\windows\system32\cidft.dll C:\windows\system32\cidpog32.dll C:\windows\system32\gupd.dll C:\windows\system32\hst32.dll C:\WINDOWS\System32\cidpoq32.dll C:\windows\system32\icnfe.dll C:\windows\system32\icqrt.dll C:\windows\system32\icvbr.dll C:\windows\system32\sdfup.dll C:\windows\system32\wcnl32.dll C:\windows\system32\wecxg32.dll C:\windows\system32\wirl.dll C:\windows\system32\xcwer32.dll C:\windows\system32\zxmsn.dll C:\windows\system32\thun.dll C:\WINDOWS\System32\thun32.dll C:\windows\system32\rch32.dll C:\Program Files\asd.hta C:\windows\system32\w32tm.exe This is the result of FindIt's: Microsoft Windows XP [versie 5.1.2600] PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Dont delete file's in the section without guidance If any doubt back them up first »»»»» lagitamate file's can/will show in this section. »»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»» Checking Windir\svcproc.exe and nail.exe. svcproc.exe Nail.exe »»»»» Checking for System32\DrPMon.dll. DrPMon.dll »»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder. Het volume in station C heeft geen naam. Het volumenummer is 4039-8EF0 Map van C:\WINDOWS\SYSTEM32 »»»»» Checking for SAHAgent ico files. Het volume in station C heeft geen naam. Het volumenummer is 4039-8EF0 Map van C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»». ! REG.EXE VERSION 3.0 HKEY_CURRENT_USER\Software\aurora ! REG.EXE VERSION 3.0 HKEY_CURRENT_USER\Software\Bolger ! REG.EXE VERSION 3.0 HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj <geen naam> REG_SZ Bolger Functional Class ! REG.EXE VERSION 3.0 HKEY_CLASSES_ROOT\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410} <geen naam> REG_SZ BolgerObj Class ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon Driver REG_SZ DrPMon.dll ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon Driver REG_SZ DrPMon.dll ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon Driver REG_SZ DrPMon.dll Logfile of HijackThis v1.99.1 Scan saved at 9:46:42, on 26/04/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\bellen\Skype\Phone\Skype.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\interMute\SpySubtract\SpySub.exe c:\windows\system32\vmbpec.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Anti-Spyware\Hijack This\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen R3 - URLSearchHook: (no name) - {FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file) F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O1 - Hosts: auto.search.msn.com 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [ivxqnb] c:\windows\system32\vmbpec.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Spyware Begone] C:\Program Files\spyware\freescan.exe -FastScan O4 - HKCU\..\Run: [Skype] "C:\Program Files\bellen\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url= O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url= O13 - Home Prefix: http://103.nowfind.biz/gall.php?url= O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url= O15 - Trusted Zone: .awmdabest.com O15 - Trusted Zone: .frame.crazywinnings.com O15 - Trusted Zone: .awmdabest.com (HKLM) O15 - Trusted Zone: .frame.crazywinnings.com (HKLM) O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing) O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

04-26-2005, 02:33 AM	#9 (permalink)
Frostie_9 Registered User Join Date: Apr 2005 Posts: 7 OS: WinXP	Hello greyknight17 I followed the procedure and get this result: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 10:04:51, on 26/04/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: c:\windows\system32\jeodfbs.exe C:\Program Files\Anti-Spyware\Hijack This\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen R3 - URLSearchHook: (no name) - {FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file) F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O1 - Hosts: auto.search.msn.com 127.0.0.1 O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe O4 - HKLM\..\Run: [cytmuu] c:\windows\system32\jeodfbs.exe O4 - HKCU\..\Run: [Spyware Begone] C:\Program Files\spyware\freescan.exe -FastScan O4 - HKCU\..\Run: [Skype] "C:\Program Files\bellen\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url= O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url= O13 - Home Prefix: http://103.nowfind.biz/gall.php?url= O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url= O15 - Trusted Zone: .awmdabest.com O15 - Trusted Zone: .frame.crazywinnings.com O15 - Trusted Zone: .awmdabest.com (HKLM) O15 - Trusted Zone: .frame.crazywinnings.com (HKLM) O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing) O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing) O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe End of KRC HijackThis Analyzer Log. ==================================================================== I hope you can help me, because it doesn't look easy. Thanks a lot!!

04-26-2005, 03:28 PM	#10 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Please print these instructions out so you can follow along as you'll have no internet access during the fix... Download ewido security suite from here… http://www.ewido.net/en/download/ Update it’s database from here.. http://www.ewido.net/en/download/updates/ Run a scan and let it clean the PC. Download KillBox http://www.atribune.org/downloads/KillBox.exe Download and install CleanUp http://cleanup.stevengould.org/ Download DelDomains.inf Right-click and select..... Save Target As To use: Right-click and select....... Install (no need to restart) Note This will remove all entries in the "Trusted Zone" Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn ON System Restore. Once your clean we will turn this off and then create a new restore point. Close out all open windows and disconnect the PC from any internet access. 1. Go to Start->Run and type Services.msc then hit Ok Scroll down and find the service called: System Startup Service (SvcProc) When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. 2. Run the cleanup utility and when prompted to reboot/logoff select NO 3. Open your clipboard viewer. Copy the list below of paths & filenames to the clipboard. Then highlight them all by pressing Control-C Run KILLBOX and select the "Delete on Reboot" box....and the click on File..then "Paste from clipboard" Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt C:\Windows\System32\svcproc.exe C:\Windows\System32\ Nail.exe C:\windows\system32\cidft.dll C:\windows\system32\cidpog32.dll C:\windows\system32\gupd.dll C:\windows\system32\hst32.dll C:\WINDOWS\System32\cidpoq32.dll C:\windows\system32\icnfe.dll C:\windows\system32\icqrt.dll C:\windows\system32\icvbr.dll C:\windows\system32\sdfup.dll C:\windows\system32\wcnl32.dll C:\windows\system32\wecxg32.dll C:\windows\system32\wirl.dll C:\windows\system32\xcwer32.dll C:\windows\system32\zxmsn.dll C:\windows\system32\thun.dll C:\WINDOWS\System32\thun32.dll C:\windows\system32\rch32.dll C:\Program Files\asd.hta C:\WINDOWS\Bolger.dll C:\windows\system32\w32tm.exe C:\WINDOWS\System32\tss.exe C:\WINDOWS\System32\DrPMon.dll c:\windows\system32\jeodfbs.exe 4. Now, click on Start, then Run ... type cmd and press "OK". In the next box that opens, type cd\ and press "Enter". Now you'll see the C: prompt ... looks like this: C:\> Type cd\windows and then Enter. Next, type nail.exe /FullRemove (make sure there is a space between nail.exe and the /) ... then Enter. 5. Now run hijackthis and fix the following entrys..... R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://103.nowfind.biz/pps.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://103.nowfind.biz/pps.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://103.nowfind.biz/pps.php R3 - URLSearchHook: (no name) - {FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file) F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O1 - Hosts: auto.search.msn.com 127.0.0.1 O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe O4 - HKLM\..\Run: [cytmuu] c:\windows\system32\jeodfbs.exe O4 - HKCU\..\Run: [Spyware Begone] C:\Program Files\spyware\freescan.exe -FastScan O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url= O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url= O13 - Home Prefix: http://103.nowfind.biz/gall.php?url= O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url= O15 - Trusted Zone: .awmdabest.com O15 - Trusted Zone: .frame.crazywinnings.com O15 - Trusted Zone: .awmdabest.com (HKLM) O15 - Trusted Zone: .frame.crazywinnings.com (HKLM) O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM) O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe 6. Reboot the PC. Run hijackthis again and fix any leftover nowfind.biz entrys and then post another FindIt’s log and hijackthis log. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

04-28-2005, 04:01 AM	#11 (permalink)
Frostie_9 Registered User Join Date: Apr 2005 Posts: 7 OS: WinXP	Hello Microbell I followed the procedure and had a problem with this: c:\windows>nail.exe /fullRemove --> my computer doesn't recognize nail.exe Also in the Hijackthis, he can't find F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe Here are the logs: Microsoft Windows XP [versie 5.1.2600] PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Dont delete file's in the section without guidance If any doubt back them up first »»»»» lagitamate file's can/will show in this section. »»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»» Checking Windir\svcproc.exe and nail.exe. »»»»» Checking for System32\DrPMon.dll. »»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder. Het volume in station C heeft geen naam. Het volumenummer is 4039-8EF0 Map van C:\WINDOWS\SYSTEM32 »»»»» Checking for SAHAgent ico files. Het volume in station C heeft geen naam. Het volumenummer is 4039-8EF0 Map van C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»». ! REG.EXE VERSION 3.0 HKEY_CURRENT_USER\Software\aurora ! REG.EXE VERSION 3.0 HKEY_CURRENT_USER\Software\Bolger ! REG.EXE VERSION 3.0 HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj <geen naam> REG_SZ Bolger Functional Class ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon Driver REG_SZ DrPMon.dll ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon Driver REG_SZ DrPMon.dll ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon Driver REG_SZ DrPMon.dll Logfile of HijackThis v1.99.1 Scan saved at 11:46:57, on 28/04/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\bellen\Skype\Phone\Skype.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\interMute\SpySubtract\SpySub.exe C:\Program Files\Anti-Spyware\Ewido\security suite\ewidoctrl.exe C:\Program Files\Anti-Spyware\Ewido\security suite\ewidoguard.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\System32\msiexec.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\WINDOWS\System32\MsiExec.exe C:\Program Files\Anti-Spyware\Hijack This\HijackThis.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\bellen\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing) O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Anti-Spyware\Ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Anti-Spyware\Ewido\security suite\ewidoguard.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe Thanks for your help!!!

04-28-2005, 07:25 PM	#12 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Few more cleanup items.... Click start...run..type in regedit. Navigate to each of the following keys and remove the file/folder/entry in BOLD if listed... HKEY_CURRENT_USER\Software\aurora HKEY_CURRENT_USER\Software\Bolger HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj <geen naam> REG_SZ Bolger Functional Class HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ ZepMon Driver REG_SZ DrPMon.dll HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon Driver REG_SZ DrPMon.dll HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon Driver REG_SZ DrPMon.dll Your logs are clean. Any more issues? If not you should be good to go. Please install the latest service packs and security updates for both XP and IE6. Please read through the spyware prevention section on how to protect yourself from spyware/adware Here and use the recommend programs and methods to protect yourself! __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

05-02-2005, 08:35 AM	#13 (permalink)
Frostie_9 Registered User Join Date: Apr 2005 Posts: 7 OS: WinXP	Hi Microbell It's true, my logs are clean!! Thank you very much for helping me! You did a great job, keep going to help people! Now I will protect my computer and I hope it never comes back. Thanks a lot. Frostie_9