Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Aurora and maybe more?


  • Please log in to reply
10 replies to this topic

#1 puyo53

puyo53

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 23 May 2005 - 03:57 AM

I'm pretty sure I've got the dreaded Aurora. Along with it, it brought these viruses:

C:\WINDOWS\SYSTEM32\Poller.exe
C:\WINDOWS\SYSTEM32\wrapperouter.exe
C:\WINDOWS\SYSTEM32\main.exe
C:\Program Files\sdf.exe
C:\Program Files\ddd.exe
C:DOCUME~1\Owner\LOCALS~1\Temp\AUTOUP~2\AutoUpdate.exe
C:\Program Files\FwBarTemp\searchbar.exe
C:\WINDOWS\SYSTEM32\SSK3_B5 Seedcorn 4.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\54KVLLWT\Poller[1].exe


Here's my Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 4:56:01 AM, on 5/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe


F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Network Security Service (NSS) (%AF) - Unknown owner - C:\WINDOWS\system32\crbs32.exe (file missing)


I realize there are a number of people that have gotten this virus and you guys have fixed it before, but because it seems like each one is a little different, I thought I better ask before trying to do it myself. Help would be greatly appreciated. Thanks.

Edited by puyo53, 23 May 2005 - 03:58 AM.


BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:49 AM

Posted 23 May 2005 - 09:41 PM

Hello puyo53 and welcome to the BC forums. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Start ewido and perform an update and then close it. Do not run it yet.

Step #2

Open Notepad and copy/paste the text from the quotebox below into the new document:

if exist process.exe (
    process -k explorer.exe
  ) ELSE (
    cmd /c "echo Process.exe missing.  Please unzip completely and rerun this file.&&pause&&exit"
  )

cd %windir%
Nail.exe /fullremove

del /a /f nail.exe
cd %windir%\system32
del /a /f DrPMon.dll crbs32.exe

echo REGEDIT4 > nailfix.reg
echo. >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%AF] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_%AF] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\%AF] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_%AF] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\%AF] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_%AF] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\%AF] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_%AF] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\%AF] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_%AF] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\%AF] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_%AF] >> nailfix.reg
echo [-HKEY_CURRENT_USER\Software\_rtneg3] >> nailfix.reg
echo [-HKEY_CURRENT_USER\Software\aurora] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{0962DA67-DB64-465C-8CD7-CBB357CAF825}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{356B2BD0-D206-4E21-8C85-C6F49409C6A9}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{52ADD86D-9561-4C40-B561-4204DBC139D1}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{999A06FF-10EF-4A29-8640-69E99882C26B}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{018C5406-AEE6-4A68-980F-2CEB1E9416FB}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{0A7FC040-F84A-4AD7-9439-798B6C0F861E}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{32A9D21F-F510-44DC-9EA6-0456EDA04668}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{4562B6F3-DAF8-464E-87B7-5464575F0D6A}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{C93CC79D-02D5-45B0-BE39-7F5B0E5DDA31}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{DA4B919F-B757-4E32-8D79-DEC5C2704C4B}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\trfdsk.amo] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\trfdsk.iiittt] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\trfdsk.momo] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\trfdsk.ohb] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\TypeLib\{DA15C9A2-C30A-4761-922A-5DFE7C9A1F67}] >> nailfix.reg
echo [-HKEY_CURRENT_USER\Software\Bolger] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon] >> nailfix.reg

regedit /s nailfix.reg
del nailfix.reg

start explorer.exe
exit


Save the document to your desktop as fixnail.cmd and close Notepad.

Step #3

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

Locate the fixnail.cmd file on your desktop and double-click on it to run it. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Step #5

Start ewido and click on the Scanner button. On the Scanner page click on My Computer and then click the Start button to begin the scan. Let it run to completion and fix anything that it finds.

Step #6

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O23 - Service: Network Security Service (NSS) (%AF) - Unknown owner - C:\WINDOWS\system32\crbs32.exe (file missing)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #7

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 puyo53

puyo53
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 23 May 2005 - 10:22 PM

When I click on the fixnail.cmd, it tells me I don't have the process.exe file. What should I do, or is there another fix?

#4 puyo53

puyo53
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 23 May 2005 - 10:27 PM

A similar problem happened to another user here (Alfred_Downs)

"Nailfix.cmd in safe mode threw up this message
QUOTE
Process.exe missing. Please unzip completely and rerun this file.



I did this and nothing seemed to have happened other than the folder My Documents" opening. "


Same thing happened here. There isn't anything more to "unzip" because it is a copy and paste. I hit enter to continue (it gives you the option of hitting any key to proceed) and it scanned a bunch of things before finally (after about scrolling down 2/3 of the way) kicking up my "My Documents".

#5 puyo53

puyo53
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 23 May 2005 - 11:43 PM

Okay, I went through all the steps and it seems everything is working MUCH better now.

The O23 that you told me to remove (O23 - Service: Network Security Service (NSS) (%AF) - Unknown owner - C:\WINDOWS\system32\crbs32.exe (file missing)) is still there, but it doesn't seem to be causing problems.

Below is my NEW hijackthis logfile, and below that, the ewido log saved after the cleaning (Over 100 files :thumbsup: , though the majority were tracking cookies); all files reported were removed.



Logfile of HijackThis v1.99.1
Scan saved at 12:36:01 AM, on 5/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\imapi.exe
C:\Documents and Settings\Dad\Desktop\HijackThis.exe
C:\PROGRA~1\MUSICM~1\Common\COMPON~1\MMCOMP~1.EXE

O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Network Security Service (NSS) (%AF) - Unknown owner - C:\WINDOWS\system32\crbs32.exe (file missing)



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:32:28 AM, 5/24/2005
+ Report-Checksum: 31B7F14D

+ Date of database: 5/23/2005
+ Version of scan engine: v3.0

+ Duration: 60 min
+ Scanned Files: 82829
+ Speed: 22.85 Files/Second
+ Infected files: 122
+ Removed files: 122
+ Files put in quarantine: 122
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Brian\Cookies\brian@247realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@a.websponsors[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@ads.addynamix[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@articles.health.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@banner3.inet-traffic[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@data.coremetrics[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@dcskqeg2voifwznnd6alhtnei_8f3u[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@ehg-bestbuy.hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@ehg-dig.hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@ehg-etoys.hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@ehg-foxsports.hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@ehg-ubisoft.hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@ehg-wizardsofthecoast.hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@inet-traffic[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@infoaging.sitetracker[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@mediaplex[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@nwvault.ign[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@overture[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@perf.overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@statse.webtrendslive[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@valueclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Brian\Cookies\brian@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Dad\Cookies\dad@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Dad\Cookies\dad@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Dad\Cookies\dad@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Dad\Cookies\dad@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Dad\Cookies\dad@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Dad\Cookies\dad@cz7.clickzs[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Dad\Cookies\dad@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Dad\Cookies\dad@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Dad\Cookies\dad@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Dad\Cookies\dad@image.masterstats[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Dad\Cookies\dad@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Dad\Cookies\dad@outster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Dad\Cookies\dad@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Dad\Cookies\dad@server.iad.liveperson[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Dad\Cookies\dad@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Dad\Cookies\dad@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Derik\Cookies\derik@ads.addynamix[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Derik\Cookies\derik@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Derik\Cookies\derik@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Derik\Cookies\derik@bfast[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Derik\Cookies\derik@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Derik\Cookies\derik@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Derik\Cookies\derik@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Derik\Cookies\derik@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Derik\Cookies\derik@valueclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Derik\Cookies\derik@yantis[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Derik\Cookies\derik@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Justin\Cookies\justin@a.websponsors[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Justin\Cookies\justin@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Justin\Cookies\justin@ads.addynamix[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Justin\Cookies\justin@ads.com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Justin\Cookies\justin@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Justin\Cookies\justin@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Justin\Cookies\justin@bfast[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Justin\Cookies\justin@burstnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Justin\Cookies\justin@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Justin\Cookies\justin@dcskqeg2voifwznnd6alhtnei_8f3u[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Justin\Cookies\justin@doubleclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Justin\Cookies\justin@ehg-dig.hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Justin\Cookies\justin@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Justin\Cookies\justin@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Justin\Cookies\justin@hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Justin\Cookies\justin@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Justin\Cookies\justin@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Justin\Cookies\justin@servedby.netshelter[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Justin\Cookies\justin@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Justin\Cookies\justin@valueclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Justin\Cookies\justin@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\0800DF34-846C-4232-BCC8-EDC4F8\03FCAB44-D980-4F0C-894F-8BE75D -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\1BE5EFC4-B1EB-408E-98B5-AFC8C3\35DBC78E-4419-4527-9CCE-C20581 -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\3A477033-913B-4C4A-B11C-55F8BE\ABED74B8-C901-4DD0-A774-8F531A -> TrojanDownloader.QDown.s -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4815D644-466D-44E6-8015-866D41\416C02CE-517B-4119-B80B-8C0F1C -> Spyware.Wintol.y -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4815D644-466D-44E6-8015-866D41\B27CCDEC-BBAB-4A81-BE87-9D95C2 -> TrojanDownloader.Wintool.e -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4865E25A-41B6-49FB-88B5-510D12\DA53602C-0225-4C82-934A-CF4386 -> Spyware.Sahat.l -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\ADDC9C16-5DEE-47FE-A6D0-FBE623\341447B8-C821-404F-B4C8-E37DF6 -> Spyware.Wintol.y -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\ADDC9C16-5DEE-47FE-A6D0-FBE623\A22003C2-6063-4567-BD00-199330 -> TrojanDownloader.Wintool.f -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\CE05C048-B779-495A-84E5-1ECF5E\0486081F-A1BA-48C2-8B9C-8F13FB -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E8D80B64-A012-4595-AEFC-48DC4C\996A6D60-41AA-43C3-9492-8BB11C -> Spyware.BookedSpace -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E9D97828-589D-4DF9-9FED-6BCDBF\FA79F8AC-3BF7-481D-BD80-1081AF -> Spyware.Sahat.l -> Cleaned with backup
C:\Program Files\Toolbar\gykhxlmu.rmr -> Spyware.IBISToolbar -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP928\A0099480.dll -> Spyware.WinAD.ag -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP964\A0101312.exe -> TrojanDownloader.Wintool.f -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP964\A0101319.dll -> Spyware.WinAD.ac -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP964\A0101324.dll -> Spyware.WebSearch.aj -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP964\A0101336.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP964\A0101344.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP964\A0101367.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP964\A0101368.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP965\A0101385.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\sysdllwm.reg -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ps1.exe -> Spyware.Pacer.a -> Cleaned with backup
C:\WINDOWS\SYSTEM32\sxsvb.exe -> Trojan.AproposAd -> Cleaned with backup
C:\WINDOWS\SYSTEM32\tftncode.exe -> Trojan.AproposAd -> Cleaned with backup


::Report End



Whatever I got hit with, it was something fierce! Thanks for your help, and please let me know what other problems (if any...though hopefully not!) you see. Also, what should I do with CCleaner? You told me to download it, but it wasn't used in the steps above...

~puyo53

Edited by puyo53, 23 May 2005 - 11:45 PM.


#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:49 AM

Posted 24 May 2005 - 12:29 PM

Hi puyo53. The log looks good except for the service so let's try and remove that with the following procedure:

Open Notepad and Copy/Paste the contents of the quote box below into the new document:

 
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _
  ("Select * from Win32_Service Where DisplayName = 'Network Security Service (NSS)'")
For Each objService in colListOfServices
If objService.State = "Stopped" then
MsgBox "Stopped Already"
Else
objService.StopService()
MsgBox "Service Stopped"

End IF
  objService.Delete()


Next

MsgBox "Done"


Save the file to your desktop as remsvc.vbs and close Notepad. Locate the remsvc.vbs file on your desktop and double-click on it to run it. You'll get an 'already stopped' message and then another message box saying 'Done!'.

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 puyo53

puyo53
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 26 May 2005 - 08:16 AM

Okay, I did as said and when I ran it, a window popped up saying there was a script error at line 7, character 1.

I also ran Hijack This just to see if the security service is still there and it is:

Logfile of HijackThis v1.99.1
Scan saved at 9:14:02 AM, on 5/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dad\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Network Security Service (NSS) (%AF) - Unknown owner - C:\WINDOWS\system32\crbs32.exe (file missing)


Your recommendations?

~puyo53

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:49 AM

Posted 26 May 2005 - 11:17 AM

Hi puyo53. Then let's do it the manual way.

Download and install Registrar Lite
  • Start RegLite
  • Navigate to the registry key below: (You can copy/paste the bold text into the address bar).
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
  • In the right-hand pane locate the entry for Network Security Service (NSS) and right-click on it. Choose Delete from the popup menu.
  • Now navigate to:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
  • In the right-hand pane locate the entry for LEGACY_Network Security Service (NSS) and right-click on it. Choose Delete from the popup menu.
  • If the above Legacy_ isn't visable, look for a LEGACY_ key with a long list of random letters and numbers that is similar. This key will contain the subkey with the bad service name. Right-click on that key and delete it.
  • Repeat the above steps for all other ControlSets (i.e. ControlSet001, ControlSet002 etc).
  • Exit RegLite.
Note: If you have trouble deleting a key. Click once on the key name to highlight it and click on the Security menu option and then the Edit Permissions item. Then Uncheck Allow inheritible permissions, click on Everyone in the uppder box and put a checkmark in Full control in the lower box. Click the Apply button and then the Ok button and attempt to delete the key again.

Close the Services window and reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 puyo53

puyo53
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 14 June 2005 - 09:24 PM

I know, it is a very late reply, but I've been out of town.

Got back and did as followed, but I had some problems:

Under all of the Control Sets (Current, 001, 003, and 004; I have no 002) there was no Network Security Service or NSS files. There was however, under current and 004, a file named %AF , and I deleted both instances (under "Services")

There also was no Legacy_Network Security Service or NSS files under the Enum/Root folder. Under a few control sets there was a Legacy key with a long list of random letters and numbers that you said there might be. I right clicked and tried to delete them, but a warning popped up (with the Red X icon) saying "Access Denied".


This is my logfile of Hijackthis BEFORE rebooting my computer:

Logfile of HijackThis v1.99.1
Scan saved at 10:22:46 PM, on 6/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\Dad\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe





I will now reboot my computer and promptly post an updated logfile.

~Justin

#10 puyo53

puyo53
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 14 June 2005 - 09:29 PM

Restarted my computer and it seems it is still gone:

Logfile of HijackThis v1.99.1
Scan saved at 10:27:49 PM, on 6/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Documents and Settings\Dad\Desktop\HijackThis.exe
C:\PROGRA~1\MUSICM~1\Common\COMPON~1\MMCOMP~1.EXE

O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe




So maybe that was enough?

Lemme know what you think.

~Justin

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:49 AM

Posted 14 June 2005 - 09:34 PM

Hi puyo53. Well, the log is now clean. Good job! How are things running? Any more problems?

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated.

To keep your operating system up to date visit monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users