Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Aurora pop ups / nail.exe and svcproc.exe


  • This topic is locked This topic is locked
4 replies to this topic

#1 taylor1

taylor1

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 21 June 2005 - 10:15 AM

Hi all

I have problems with Aurora - Part of the ABI network popups (a better inernet indeed!!). I have run AVG, adaware, and ewido security suite and deleted infected files to no avail. Any help would be much appreciated. I have spent about 2 weeks reading posts online and realise that it is often quite complicated and tedious.
Thanking you in advance,
Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 16:05:57, on 21/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\S3hotkey.exe
C:\WINDOWS\system32\S3tray2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
c:\windows\system32\dqkroc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matt\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [S3hotkey] S3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [jfoxlzt] c:\windows\system32\svhvusd.exe
O4 - HKLM\..\Run: [xyobqea] c:\windows\system32\dqkroc.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...503/mcfscan.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

BC AdBot (Login to Remove)

 


m

#2 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 21 June 2005 - 11:35 AM

Hi, and welcome to BC. :thumbsup:

You will probably want to print these instructions, because we will be working in Safemode part of the time.
These steps must be done in the following sequence:

Preparation:
I see that you already have Ewido installed. Let's make sure it is updated:
From the main Ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Exit Ewido. DO NOT scan yet.

** Download and install CCleaner from here: http://www.ccleaner.com/ccdownload.asp
But do not run it yet.

** Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?dow...050515010747824
If that does not work try this alternative link:
http://dknoppix.com/Downloads/Nailfix.zip

Unzip it to the desktop but please do NOT run it yet.

Enable the “Show Hidden Folders” option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck the Hide Protected Operating System Files (recommended) option.
Click Yes to confirm.
Click OK.

Procedure:
** Please reboot into Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

** Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and
icons will disappear and reappear, and a window should open and close
very quickly --- this is normal.

** While still in Safemode, please run Ewido. Run a full scan and save the logfile from the scan like this:

1. Click on the Scanner button in the left menu, then click on the Start button. [This scan can take some time to complete]
2. If ewido finds anything, it will pop up a notification.
3. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
4. When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

** Please run HijackThis, click Scan, and tick these:
O4 - HKLM\..\Run: [jfoxlzt] c:\windows\system32\svhvusd.exe
O4 - HKLM\..\Run: [xyobqea] c:\windows\system32\dqkroc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


Close all open windows except for HijackThis and click "Fix Checked".

** Delete the specified files/folders if they still exist:
C:\WINDOWS\Nail.exe <--file
c:\windows\system32\svhvusd.exe <--file
c:\windows\system32\dqkroc.exe <--file
C:\WINDOWS\svcproc.exe <--file

** Still in Safemode, run CCleaner:

Click the Windows tab

Select the following:
Internet Explorer:
Temp Internet
History
Recently Typed URLs
Delete Index.dat files

System:
Empty Recycle Bin
Temporary Files
Memory Dumps
Chkdsk File Fragments
Old Prefetch Data

Next: Click Options. Click the Advanced (or Settings in some versions)
Uncheck: "Only delete files older than 48 hrs.". Click OK.

UNCHECK all other defaults listed on the:
Issues and Applications tabs.

Click Run Cleaner (bottom right). Then Exit (reboot)

Restart your computer in normal mode

Go back and rehide the Protected System Files:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
CHECK the Hide Protected Operating System Files (recommended) option.
Click Yes to confirm.
Click OK.

Please post a new HijackThis log in this thread, as well as the log from the Ewido scan.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#3 taylor1

taylor1
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 21 June 2005 - 04:51 PM

Hi Bugbatter

Cheers for the reply.
I followed your instructions:
1. Downloaded nailfix and CCleaner

2. In safe mode ran Ewido but it made my computer turn itself off 4 times in a row so i decided to give up on that in safe mode.

3. Went into HJT still in safe mode and clicked and fixed
O4 - HKLM\..\Run: [jfoxlzt] c:\windows\system32\svhvusd.exe
However O4 - HKLM\..\Run: [xyobqea] c:\windows\system32\dqkroc.exe was not in that HJT scan so could not fix it - instead a different O4 was detected -
O4 - HKLM\..\Run: [nvczcd] c:\windows\system32\gcveyz.exe r - as seen in my new log file.
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

4. Ran CCleaner ok

5. All the files which you said to delete if still in existence were not in existence.

6. Restarting windows in normal mode - got the message "Cannot find the file C:\windows\Nail.exe which i guess is good if that file is a virus and system was trying to open it.

7. Tried running ewido again but after 3 hours the progress was only at 14% so is there another program i could use? - I am sure that the last time i used ewido the scan took around 1hour to finish.

8. Anyway no pop-ups so far but don't like the look of F2 in the scan and also svcproc.exe is still there despite checking it and clicking fix previously.

Thanking you for your help and time.


Logfile of HijackThis v1.99.1
Scan saved at 22:23:25, on 21/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\S3hotkey.exe
C:\WINDOWS\system32\S3tray2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matt\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [S3hotkey] S3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nvczcd] c:\windows\system32\gcveyz.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...503/mcfscan.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

#4 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 21 June 2005 - 07:13 PM

Let's give this a try:
Download and run the free uninstaller available here:
http://www.mypctuneup.com/. Follow the steps. Reboot if prompted.
Then please post a fresh log. Thanks. :thumbsup:

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#5 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 03 July 2005 - 01:56 PM

Due to lack of participation, I am closing this thread.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users