Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please check this logfile


  • Please log in to reply
1 reply to this topic

#1 Adamh

Adamh

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 05 June 2005 - 08:17 AM

This is my friends logfile. He can't access the web and from my basic knowledge I can see some viruses but i want to be sure that I get rid of them all so could you take a look please?

Logfile of HijackThis v1.99.1
Scan saved at 14:00:40, on 04/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\seeve.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\windows\system32\tervtg.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\Documents and Settings\Ben Murphy\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wwwcache.nottingham.ac.uk/proxyall.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwcache.nottingham.ac.uk:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {62B94D03-F9E6-4690-8326-F2842866ED17} - C:\DOCUME~1\BENMUR~1\APPLIC~1\GREATR~1\Safecake.exe (file missing)
O2 - BHO: (no name) - {B65BD9DF-9070-493A-62F8-890D4DDA3938} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [Copyskipspamowns] C:\Documents and Settings\All Users\Application Data\Htm Settings Copy Skip\CastNurb.exe
O4 - HKLM\..\Run: [r3sT32X] wmaec6.exe
O4 - HKLM\..\Run: [WPA] regedit.exe /s WXMCE_WPA_CRACK.reg
O4 - HKLM\..\Run: [Windows] run.exe
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [yloyrs] c:\windows\system32\tervtg.exe
O4 - HKLM\..\RunServices: [Windows] run.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1230CB21-C88D-11CF-B347-000000000000} - http://www.eingang69.de/EroticAccess/Cabs/1836003.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O20 - Winlogon Notify: reset5 - C:\WINDOWS\SYSTEM32\reset5.dll
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: Reset 5 - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

BC AdBot (Login to Remove)

 


#2 jahewi

jahewi

    Anti-Malware Helper


  • Members
  • 52 posts
  • OFFLINE
  •  
  • Location:Always nearby
  • Local time:05:23 PM

Posted 05 June 2005 - 04:57 PM

Hi Adamh,

There are quite some issues in your friend's computer.
Not having a working internet-connection, makes it a bit difficult, but i think we can manage.

Download the following files yourself and copy them to a CD:
- NailFix: http://www.noidea.us/easyfile/file.php?dow...050515010747824
- CCleaner: http://www.ccleaner.com/ccdownload.php
- Ewido Security Suite: http://www.ewido.net/en/download/
- Ewido signature database: Go to the Ewido download-site and download the Full Database

To install and use these programs, put the CD in your friend's computer and follow these instructions:

Unzip nailfix on the desktop, but don't use it, yet.

Install CCleaner, but don't use it, yet.

Install Ewido, but be sure to unmark the option Install background guard in the Additional Options-screen!
Install the database by doubleclicking the file ewido-signatures-full-[date].exe ([date]= is the date of the day you've downloaded the database-file).
Don't use Ewido, yet.

Reboot the computer into Save Mode

On the desktop, go into the NailFix-folder.
Click nailfix.cmd to remove the Aurora/nail-infection.
Your screen will be empty for a moment. That's normal.

Run Ewido and let it do a scan to get rid of additional files and the hidden installer of Aurora.

Start CCleaner and click Run Cleaner. When CCleaner is done, close it.

Click Start > Run > enter: cleanmgr
If you have more then 1 local harddisk-stations, you will be asked wich station to clean. Choose C:
Now, DiskCleanup will calculate how much space can be won by compressing and deleting. This can take up some minutes, so pls be patient ;-)
In the list Files to Delete, at least check:
- Downloaded Program Files
- Temporary Internet Files
- Recycle Bin
- Temporary Files
- (Temporary) Offline Files
Now, click OK to let DiskCleanup do it's job.
When DiskCleanup is done, you can close it.

Be sure that all files and folders are visible:
- Click Start > Control Panel > Tools > Folder Options > View
- At Hidden files and folders, select 'Show hidden files and folders'
- Unmark 'Hide extentions for known file types'
- Click 'Apply'and then 'OK'.

Start HijackThis and click 'Scan'.
Only select the following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {62B94D03-F9E6-4690-8326-F2842866ED17} - C:\DOCUME~1\BENMUR~1\APPLIC~1\GREATR~1\Safecake.exe (file missing)
O2 - BHO: (no name) - {B65BD9DF-9070-493A-62F8-890D4DDA3938} - (no file)
O4 - HKLM\..\Run: [Copyskipspamowns] C:\Documents and Settings\All Users\Application Data\Htm Settings Copy Skip\CastNurb.exe
O4 - HKLM\..\Run: [r3sT32X] wmaec6.exe
O4 - HKLM\..\Run: [WPA] regedit.exe /s WXMCE_WPA_CRACK.reg
O4 - HKLM\..\Run: [Windows] run.exe
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [yloyrs] c:\windows\system32\tervtg.exe
O4 - HKLM\..\RunServices: [Windows] run.exe
O16 - DPF: {1230CB21-C88D-11CF-B347-000000000000} - http://www.eingang69.de/EroticAccess/Cabs/1836003.cab


- IMPORTANT: Close all windows, except HijackThis.

- In HijackThis, click 'Fix Checked'.

- Restart your computer in Save Mode

- Delete the following Files:
C:\WINDOWS\Nail.exe
C:\WINDOWS\seeve.exe
c:\windows\system32\tervtg.exe

- Delete the following folders:
C:\Documents and Settings\All Users\Application Data\Htm Settings Copy Skip

- Find and delete the following files:
wmaec6.exe
WXMCE_WPA_CRACK.reg

- Find the following file, but don't delete it, yet: run.exe
- Post the location of the file (the name of the folder).

- Restart your computer in Normal Mode and post a new HijackThis-log in this topic.


Good luck, Jan :-)

Edited by jahewi, 05 June 2005 - 04:59 PM.

Posted Image
... the best defence against malware is common sense ... ;)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users