|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
04-22-2005, 11:24 AM
|
#1 (permalink) |
|
Registered User
Join Date: Mar 2005
Posts: 48
OS: XP
|
[RESOLVED]Junk-O-Rama
I've got some junk on my computer, and its slower than a snail going uphill.
Here's my Hijackthis log, I haven't a clue on what the problem is: Logfile of HijackThis v1.99.1 Scan saved at 12:17:32 PM, on 4/22/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe c:\windows\system32\mcrnng.exe C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\WINDOWS\System32\winupdt.exe C:\WINDOWS\System32\RUNDLL32.exe C:\WINDOWS\System32\mmvpvm.exe C:\WINDOWS\System32\wintask.exe C:\WINDOWS\System32\mriim700.exe C:\WINDOWS\System32\abasa5jrp.exe C:\Program Files\Soulseek\slsk.exe C:\Program Files\Direct Connect\Direct Connect.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsmD9.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16 O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\mmvpvm.exe O4 - HKLM\..\Run: [vwmgzo] c:\windows\system32\vwmgzo.exe O4 - HKLM\..\Run: [180sacidinstaller] C:\DOCUME~1\Owner\LOCALS~1\Temp\180SACIDInstaller.exe /did=5592 O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe O4 - HKLM\..\Run: [kxakzuqs] C:\Program Files\kxakzuqs\kxakzuqs.exe O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe O4 - HKLM\..\Run: [mhxokc] c:\windows\system32\mcrnng.exe O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\System32\abasa5jrp.exe O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe O4 - HKCU\..\Run: [krwk] C:\PROGRA~1\COMMON~1\krwk\krwkm.exe O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe O4 - HKCU\..\Run: [aw47RfJme] mriim700.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{29DF46C9-A4BC-471F-B55B-362BE2954472}: NameServer = 151.164.17.201 151.164.11.201 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Thanks for any and all help.  ~ RS |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
04-22-2005, 03:02 PM
|
#2 (permalink) |
Join Date: Mar 2005
Location: VT (via NL and TO)
Posts: 341
OS: WinXP SP2 Pro and Home
|
Hi. Welcome to TSF's HijackThis Log Help.
I'm currently reviewing your log under the supervision of an expert analyst. I'll be back with a fix for your problem ASAP, and I ask your patience while it's being composed and checked. We recommend that you subscribe to this thread so you'll be notified as soon as we post your fix. To do this, at the top of your original post, click Thread Tools and then Subscribe to this thread; on the next page, make sure "Instant notification by email" is selected, then click Add subscription. Thanks.
__________________
Have TSF volunteers helped you? Please consider helping TSF by subscribing or donating. Thanks! 
|
|
|
|
|
04-22-2005, 07:33 PM
|
#3 (permalink) |
|
Join Date: Mar 2005
Location: VT (via NL and TO)
Posts: 341
OS: WinXP SP2 Pro and Home
|
Hello again.
You have several different nasty infections there. It may take a few passes to get all of this cleaned up, and I again ask for your patience as we tackle it. Let's get started.. Before proceeding, please print this page or copy it to Notepad to help you carry out the instructions. If you have questions about any instruction, please ask before performing it. Download and install CleanUp. Download KillBox. Download Rkfiles.zip and UNZIP the contents to a permanent folder on your desktop. Download the attachment remv3.zip from this page. Make a folder on the root drive C:\ and unzip the files into it. Download ewido security suite It looks like you have been infected with at least one virus. If you have a fast internet connection (broadband), run an online scan at Trend Micro or RAV Antivirus. Please select the “autoclean” option when using Trend Micro. Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Update ewido's database. Run a scan and let it clean the PC. Run CleanUp! and click the CleanUp! button. When it asks whether you want to log off, click Yes. Reboot your system into Safe Mode: restart it and then repeatedly tap the F8 key until the menu appears, then selecting Safe Mode. Open HijackThis. Click Config > Misc. Tools > Open process manager. If they still exist -- and they might not -- select the following items one at a time and click Kill process for each: c:\windows\system32\mcrnng.exe C:\WINDOWS\System32\winupdt.exe C:\WINDOWS\System32\mmvpvm.exe C:\WINDOWS\System32\wintask.exe C:\WINDOWS\System32\mriim700.exe C:\WINDOWS\System32\abasa5jrp.exe Click Start > (Settings >) Control Panel > Add/Remove Programs. If the following programs exist -- and they might not -- uninstall them: kxakzuqs Open Hijack This and click Scan. If they still exist -- and some might not -- check all of the following entries (make sure you do not miss any): R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsmD9.dll O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16 O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\mmvpvm.exe O4 - HKLM\..\Run: [vwmgzo] c:\windows\system32\vwmgzo.exe O4 - HKLM\..\Run: [180sacidinstaller] C:\DOCUME~1\Owner\LOCALS~1\Temp\180SACIDInstaller. exe /did=5592 O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe O4 - HKLM\..\Run: [kxakzuqs] C:\Program Files\kxakzuqs\kxakzuqs.exe O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe O4 - HKLM\..\Run: [mhxokc] c:\windows\system32\mcrnng.exe O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\System32\abasa5jrp.exe O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe O4 - HKCU\..\Run: [krwk] C:\PROGRA~1\COMMON~1\krwk\krwkm.exe O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe O4 - HKCU\..\Run: [aw47RfJme] mriim700.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe Please close all other windows, including browsers, then click Fix checked. If they still exist, delete the following files indicated in RED and folders indicated in BLUE. files: C:\WINDOWS\System32\abasa5jrp.exe C:\WINDOWS\System32\ap9h4qmo.exe c:\windows\system32\mcrnng.exe C:\WINDOWS\System32\mmvpvm.exe C:\WINDOWS\System32\mriim700.exe C:\WINDOWS\System32\nsmD9.dll C:\WINDOWS\System32\ntddetect.exe C:\WINDOWS\svcproc.exe C:\WINDOWS\System32\wintask.exe C:\WINDOWS\System32\winupdt.exe c:\windows\system32\vwmgzo.exe C:\WINDOWS\Bolger.dll C:\WINDOWS\cfgmgr51.dll C:\WINDOWS\Nail.exe you'll need to search for these files: AUNPS2.DLL mriim700.exe (we've already deleted one by this name, but let's make sure there's not another) folders: C:\PROGRAM FILES\COMMON FILES\krwk C:\Program Files\kxakzuqs Reboot your system into Safe Mode once more (again, this means repeatedly tapping F8 until the menu appears, then selecting Safe Mode). This is very important, as the following must be done in Safe Mode! Double-click rkfiles.bat. It will scan for a while, so please be patient. Wait until the DOS window closes, then open the C:\log.txt it created and rename it log1.txt. This is important: both this tool and the next one use log.txt as the logfile name, so if you don't rename this one, it'll be overwritten when you run the next tool, and you don't want that! Next, open the folder where you unzipped the remv3.zip files, and double-click the rem.bat file. Let it run. It will delete the files and remove the infection, and then make a log of the files it finds. The log files will be C:\log.txt and bad1.txt. Reboot back to normal mode. In your next post, please include a fresh HijackThis log and the contents of both the log.txt and log1.txt (from the rkfiles and rem.bat scans), and let's see how much progress we've made.
__________________
Have TSF volunteers helped you? Please consider helping TSF by subscribing or donating. Thanks!
|
|
|
|
|
04-22-2005, 11:07 PM
|
#4 (permalink) |
|
Registered User
Join Date: Mar 2005
Posts: 48
OS: XP
|
(Bolded text is bolded to avoid confusion)
Thanks for the help thus far. My computer is running faster, there are less popups than before, and it seems that I've finally gotten rid of that damn Nail.exe file.  Here's the new HijackThis logfile: Logfile of HijackThis v1.99.1 Scan saved at 11:57:38 PM, on 4/22/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\Owner\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe" /startup O4 - HKLM\..\Run: [razin] C:\DOCUME~1\Owner\LOCALS~1\Temp\rm05040901.Stub.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: strings.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{29DF46C9-A4BC-471F-B55B-362BE2954472}: NameServer = 151.164.17.201 151.164.11.201 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing) O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe I ran the rkfiles.bat, and all I got was this: C:\WINDOWS\system32\delfin0414.dll: UPX! C:\WINDOWS\system32\goldnew2b0414.dll: UPX! C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213 I also ran rem.bat, and I got: Files Found................. ---------------------------------------- Files Not deleted................. ---------------------------------------- Merging registry entries ----------------------------------------------------------------- The Registry Entries Found... ----------------------------------------------------------------- Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting ----------------------------------------------------------------- Volume in drive C has no label. Volume Serial Number is 20E0-FAEF Directory of C:\WINDOWS\system32 msi.dll Finished Again, thanks for the help so far. ~ RS |
|
|
|
|
04-23-2005, 12:24 PM
|
#5 (permalink) |
|
Join Date: Mar 2005
Location: VT (via NL and TO)
Posts: 341
OS: WinXP SP2 Pro and Home
|
Hello again.
That's definitely progress. Let's see if we can get the rest.. Before proceeding, please print this page or copy it to Notepad to help you carry out the instructions. If you have questions about any instruction, please ask before performing it. Run CleanUp! and click the CleanUp! button. When it asks whether you want to log off, click Yes. Reboot your system into Safe Mode: restart it and then repeatedly tap the F8 key until the menu appears, then selecting Safe Mode. Open Hijack This. On the main screen , click Open the misc tools. Then click Delete an NT Service. In the box that pops up, paste in: svcproc.exe and click OK. Under "Other Stuff" in the bottom right-hand corner, click Back to return to the HJT scanning screen. Now click Scan. If they still exist -- and some might not -- check all of the following entries (make sure you do not miss any): O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\Owner\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe" /startup O4 - HKLM\..\Run: [razin] C:\DOCUME~1\Owner\LOCALS~1\Temp\rm05040901.Stub.exe O4 - Global Startup: strings.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing) Please close all other windows, including browsers, then click Fix checked. Next, search for a file called strings.exe. Don't do anything with it yet -- just note its location. Run Killbox (one of the programs you downloaded in the last fix). You'll need to paste the following list of files into Killbox one at a time. Check the Delete on Reboot box and the Unregistered DLL (if the latter is available -- it won't be every time). Click the red X, and it will ask to reboot now; click NO and proceed with the next file. Once you get to the last one, click YES so it will reboot. If you get a “Pending FileRename Operations Registry Data has been Removed by External Process!" message, then just restart manually. Here's the list of files to delete -- some of them may not exist: C:\WINDOWS\system32\delfin0414.dll C:\WINDOWS\system32\goldnew2b0414.dll c:\windows\SvcProc.exe strings.exe (that is, the one you just looked up) Reboot your system into Safe Mode once more (again, this means repeatedly tapping F8 until the menu appears, then selecting Safe Mode). This is very important, as the following must be done in Safe Mode! Now you need to run rkfiles.bat and rem.bat again. You should probably delete or move the logs you created with these tools last time around so there's no confusion between the old and new ones: Double-click rkfiles.bat. It will scan for a while, so please be patient. Wait until the DOS window closes, then open the C:\log.txt it created and rename it log1.txt. This is important: both this tool and the next one use log.txt as the logfile name, so if you don't rename this one, it'll be overwritten when you run the next tool, and you don't want that! Next, open the folder where you unzipped the remv3.zip files, and double-click the rem.bat file. Let it run. It will delete the files and remove the infection, and then make a log of the files it finds. The log files will be C:\log.txt and bad1.txt. Reboot back to normal mode. In your next post, please include a fresh HijackThis log and the contents of both the log.txt and log1.txt (from the rkfiles and rem.bat scans).
__________________
Have TSF volunteers helped you? Please consider helping TSF by subscribing or donating. Thanks!
|
|
|
|
|
04-23-2005, 02:05 PM
|
#6 (permalink) |
|
Registered User
Join Date: Mar 2005
Posts: 48
OS: XP
|
I followed your instructions as best I could; I cannot download CleanUp!, I believe the links are broken.
Here's the newest HJT log: Logfile of HijackThis v1.99.1 Scan saved at 3:02:36 PM, on 4/23/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\AIM\aim.exe C:\Program Files\Yahoo!\Messenger\YPager.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{29DF46C9-A4BC-471F-B55B-362BE2954472}: NameServer = 151.164.17.201 151.164.11.201 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing) O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe And here's the rem.bat log: Files Found................. ---------------------------------------- Files Not deleted................. ---------------------------------------- Merging registry entries ----------------------------------------------------------------- The Registry Entries Found... ----------------------------------------------------------------- Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting ----------------------------------------------------------------- Volume in drive C has no label. Volume Serial Number is 20E0-FAEF Directory of C:\WINDOWS\system32 msi.dll Finished I couldn't find a couple of things, but that's all. Anything else? ~ RS |
|
|
|
|
04-24-2005, 11:42 AM
|
#7 (permalink) |
|
Join Date: Mar 2005
Location: VT (via NL and TO)
Posts: 341
OS: WinXP SP2 Pro and Home
|
Hi again --
Closer still.. the log is almost clean. It's pretty important that we get CleanUp! to run, because that's going to take out any lingering installers in your Temp folders and various other locales. Here's a more direct link -- see if you can get it from here. If you have problems downloading it from here, please let me know and we'll figure out some other way to get it to you. Also, did you run rkfiles last time around? I didn't see its logfile in the last post, only the rem.bat file. We need to take a look at that as well. So, assuming you can get CleanUp!, here's your next set of instructions. As always, you should print them so you can access them during your fix: Go to Start > Run and type Services.msc, then click OK. In the list that appears, scroll down to find a service called System Startup Service (SvcProc) and double-click on it. In the next window, click Stop, then click Properties, and under the General tab, change the Startup Type to Disabled. Click Apply, then OK, then close any open windows. Run CleanUp! and click the CleanUp! button. When it asks whether you want to log off, click Yes. Reboot your system into Safe Mode once more (again, this means repeatedly tapping F8 until the menu appears, then selecting Safe Mode). This is very important, as the following must be done in Safe Mode! Make sure any open programs, especially Web browsers, are closed. Open Hijack This and click Scan. If they still exist -- and some might not -- check all of the following entries (make sure you do not miss any): O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing) Please close all other windows, including browsers, then click Fix checked. Check whether c:\windows\SvcProc.exe exists; if it does, delete it. Again, clear out your old rkfiles and rem.bat logs to make way for these new ones, then: Double-click rkfiles.bat. It will scan for a while, so please be patient. It'll save as C:\log.txt. Run CleanUp! and click the CleanUp! button. When it asks whether you want to log off, click Yes. Reboot back into normal mode. In your next post, please include a fresh HijackThis log and the contents of the rkfiles log.
__________________
Have TSF volunteers helped you? Please consider helping TSF by subscribing or donating. Thanks!
|
|
|
|
|
04-24-2005, 12:36 PM
|
#9 (permalink) |
|
Join Date: Mar 2005
Location: VT (via NL and TO)
Posts: 341
OS: WinXP SP2 Pro and Home
|
Hi again --
Mea culpa -- I had a second site for you to try to get CleanUp! from, and I somehow edited it out of the post. Try here. That's a direct link to the program, so you'll get a dialog box asking about a download. If it doesn't work straight up for you, try right-clicking on that link. In the context menu that pops up, choose Save Target As.., then pick a location on your computer to which to save the file, then click Save. As for rkfiles, it takes quite a while. It's going to vary by computer, so I can't give you a set time, but I ran it on a machine at work last week and it took easily half an hour or more. Tina
__________________
Have TSF volunteers helped you? Please consider helping TSF by subscribing or donating. Thanks!
|
|
|
|
|
04-24-2005, 01:30 PM
|
#10 (permalink) |
|
Registered User
Join Date: Mar 2005
Posts: 48
OS: XP
|
I did everything you asked, and here are the two logs. The first one is HijackThis, the second is rkfiles:
Logfile of HijackThis v1.99.1 Scan saved at 2:27:27 PM, on 4/24/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{29DF46C9-A4BC-471F-B55B-362BE2954472}: NameServer = 151.164.17.201 151.164.11.201 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Documents and Settings\Owner\Desktop\RKFiles PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213 Files Found in all users startup Folder............ ------------------------ Files Found in all users windows Folder............ ------------------------ C:\WINDOWS\tsc.exe: UPX! C:\WINDOWS\vsapi32.dll: UPX!t4 Finished bye Again, thanks for all your help. ~ RS |
|
|
|
|
04-24-2005, 04:02 PM
|
#11 (permalink) |
|
Join Date: Mar 2005
Location: VT (via NL and TO)
Posts: 341
OS: WinXP SP2 Pro and Home
|
Hi, RS --
Your logs are clean. You just need to clear out your existing System Restore Points to remove the last traces of the infection, so the problem isn't inadvertently regenerated later if you ever have to do a restore: First, turn off System Restore: right-click My Computer and click Properties. Click the System Restore tab and check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, existing restore points will be deleted. Click Yes to do this, then click OK. Next, reboot your system. Finally, re-enable System Restore and create a new Restore Point: right-click My Computer and click Properties. Click the System Restore tab and uncheck "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply and then OK. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the recommended tools. If you're not experiencing any more problems, you should be all set.
__________________
Have TSF volunteers helped you? Please consider helping TSF by subscribing or donating. Thanks!
|
|
|
|
|
04-24-2005, 05:29 PM
|
#13 (permalink) |
|
Join Date: Mar 2005
Location: VT (via NL and TO)
Posts: 341
OS: WinXP SP2 Pro and Home
|
No prob.
__________________
Have TSF volunteers helped you? Please consider helping TSF by subscribing or donating. Thanks!
|
|
|
|
| Thread Tools | |
|
|
