Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

aurora

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

aurora

Unread postby lguk » June 13th, 2005, 5:33 pm

could somebody please tell me how to remove aurora. I am running counterspy and have norten anti virus.Everytime counterspy runs it reports four or five malware infections even though I quarentine them and delete they appear the next time, or pop up even if I'm not online.
My husband's computer has also been infected through the router.

Linda.
lguk
Active Member
 
Posts: 6
Joined: June 13th, 2005, 4:51 pm
Advertisement
Register to Remove

Unread postby LDTate » June 13th, 2005, 5:52 pm

Hello lguk, Welcome to the Forum.

There's a new version of HijackThis.

Please delete any HijackThis Folders and Files you have now.


Please download this self extracting file to your My Downloads folder or My Received Files (dependent on your Operating System):

http://www.merijn.org/files/hijackthis_sfx.exe

Click the "Save" button.

Navigate to My Documents>Chose My Downloads or My Received Files folder once inside that folder click "Save".

Now go to the folder you saved HijackThis_sfx.exe in.

Double click HijackThis_sfx.exe and select Unzip. When done click "OK".
Close the WinZip self Extractor window.

Open HijackThis and select: Do a system scan and save a log file.

When the scan is finished, Click Edit> Select All> Edit> Copy> and paste its contents here [Add Reply].

Don't remove anything. Someone experenced with the logs will help.
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

aged log :-)

Unread postby lguk » June 14th, 2005, 2:08 pm

Sorry but I couldnt get the new one to work :( , here is a log using the old version. I hope this gives you the information you require.
Thank you in advance.

Linda

Logfile of HijackThis v1.99.1
Scan saved at 19:02:17, on 14/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\uy3khk20\uy3khk20.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\windows\system32\skrsun.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\uy3khk20\68172470.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\uy3khk20\uy3khk20.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Linda Gillan\Desktop\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/e ... efault.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/uk/e ... efault.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {00000000-0000-473B-8951-D8FBE35E2496} - C:\Program Files\uy3khk20\uy3khk20.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [sunasDtServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [uy3khk20] C:\Program Files\uy3khk20\uy3khk20.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [mmhtho] c:\windows\system32\skrsun.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Linda Gillan"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... .0.0.8.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
lguk
Active Member
 
Posts: 6
Joined: June 13th, 2005, 4:51 pm

Unread postby LDTate » June 14th, 2005, 4:35 pm

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php? ... 5010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Ewido & HJT reports

Unread postby lguk » June 15th, 2005, 4:05 pm

Hi,

After carrying out your instructions above and booting into ‘normal’ mode, ewido picked up 2 viruses, oops sorry I got rid of them so quick I didn’t see what they were :oops: .
Here are the two reports you requested, thank you again.

Linda

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 20:48:47, 15/06/2005
+ Report-Checksum: A2539A35

+ Date of database: 15/06/2005
+ Version of scan engine: v3.0

+ Duration: 54 min
+ Scanned Files: 63208
+ Speed: 19.23 Files/Second
+ Infected files: 107
+ Removed files: 107
+ Files put in quarantine: 107
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
X:\
Y:\
Z:\

+ Scan result:
C:\Documents and Settings\Linda Gillan\Cookies\linda gillan@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Linda Gillan\Cookies\linda gillan@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Linda Gillan\Cookies\linda gillan@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Linda Gillan\Cookies\linda gillan@mediaplex[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Linda Gillan\Cookies\linda gillan@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Linda Gillan\Local Settings\Temporary Internet Files\Content.IE5\AQ9SZOV5\dsldbaccess[1].exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\Documents and Settings\Linda Gillan\My Documents\Sonic\Backup Job.boe/IECookies/dave@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Linda Gillan\My Documents\Sonic\Backup Job.boe/IECookies/dave@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Linda Gillan\My Documents\Sonic\Backup Job.boe/IECookies/dave@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Linda Gillan\My Documents\Sonic\Backup Job.boe/IECookies/dave@valueclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Linda Gillan\My Documents\Sonic\one\IECookies\dave@www.vibrantmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\ixplore.exe -> Trojan.Agent.am -> Cleaned with backup
C:\lf_1A8.tmp -> TrojanDownloader.Dluca -> Cleaned with backup
C:\lf_288.tmp -> TrojanDownloader.Dluca -> Cleaned with backup
C:\lf_474.tmp -> TrojanDownloader.Dluca -> Cleaned with backup
C:\lf_864.tmp -> TrojanDownloader.Dluca -> Cleaned with backup
C:\lf_8C0.tmp -> TrojanDownloader.Dluca -> Cleaned with backup
C:\lf_95C.tmp -> TrojanDownloader.Dluca -> Cleaned with backup
C:\lf_E38.tmp -> TrojanDownloader.Dluca -> Cleaned with backup
C:\lf_F14.tmp -> TrojanDownloader.Dluca -> Cleaned with backup
C:\Program Files\Norton AntiVirus\Quarantine\41322A1F.class -> Trojan.Java.ClassLoader.c -> Cleaned with backup
C:\Program Files\Norton AntiVirus\Quarantine\57910CF9.class -> Trojan.Java.ClassLoader.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\33161412-C563-4F45-95D1-87F446\A67B4E36-7F74-4686-8FF0-4C454D -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\416B47B5-D1FD-42CA-8058-0AD64C\FED9B31C-11FA-407F-AA17-1FCB18 -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\45555319-BB83-410D-8375-18D4CB\46BBF633-C41E-4ADD-833C-6C2B0F -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\730A8407-0898-4DEF-B052-CF167B\80875C39-5FF4-4908-8D2D-1CFAFB -> Trojan.Agent.db -> Cleaned with backup
C:\RECYCLER\NPROTECT\00116509.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00116510.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00116600.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00116821 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00116822 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00116831 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00116851 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00116860 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00116885 -> Trojan.Nail -> Cleaned with backup
C:\RECYCLER\NPROTECT\00116890 -> Trojan.Nail -> Cleaned with backup
C:\RECYCLER\NPROTECT\00116891 -> Trojan.Nail -> Cleaned with backup
C:\RECYCLER\NPROTECT\00116892 -> Trojan.Stervis.c -> Cleaned with backup
C:\RECYCLER\NPROTECT\00116899 -> Trojan.Stervis.c -> Cleaned with backup
C:\RECYCLER\NPROTECT\00116900 -> Trojan.Agent.db -> Cleaned with backup
C:\RECYCLER\NPROTECT\00116912.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00116920.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117140 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117143 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117151 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117154 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117155 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117161 -> Trojan.Nail -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117166 -> Trojan.Stervis.c -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117167 -> Trojan.Nail -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117168 -> Trojan.Nail -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117223.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117232.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117623.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117631.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117632.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117802 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117808 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117811 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117819 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117822 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117823 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117829 -> Trojan.Nail -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117834 -> Trojan.Nail -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117835 -> Trojan.Stervis.c -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117836 -> Trojan.Nail -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117842 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117845 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117853 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117859 -> Trojan.Nail -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117864 -> Trojan.Nail -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117865 -> Trojan.Nail -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117866 -> Trojan.Stervis.c -> Cleaned with backup
C:\RECYCLER\NPROTECT\00117867 -> Trojan.Agent.db -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118002.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118092.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118100.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118276 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118277 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118286 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118306 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118315 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118333 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118383.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118397.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118573 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118574 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118583 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118603 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118612 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118635 -> Trojan.Nail -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118640 -> Trojan.Nail -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118641 -> Trojan.Nail -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118642 -> Trojan.Stervis.c -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118645 -> Trojan.Nail -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118650 -> Trojan.Stervis.c -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118651 -> Trojan.Nail -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118652 -> Trojan.Agent.db -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118653 -> Trojan.Nail -> Cleaned with backup
C:\RECYCLER\NPROTECT\00118757.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\lloeshqksuc.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\system32\6797.exe -> Trojan.Agent.am -> Cleaned with backup
C:\WINDOWS\system32\aaepynwo.exe -> TrojanDownloader.Dluca -> Cleaned with backup
C:\WINDOWS\system32\lwbogmt.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\nkfrfesl.exe -> TrojanDownloader.Dluca -> Cleaned with backup
C:\WINDOWS\system32\nnedewii.exe -> TrojanDownloader.Dluca -> Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 20:58:04, on 15/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\uy3khk20\uy3khk20.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\uy3khk20\68172470.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\uy3khk20\uy3khk20.exe
C:\Documents and Settings\Linda Gillan\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/e ... efault.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/uk/e ... efault.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {00000000-0000-4075-A63B-6D35FCF7DE30} - C:\Program Files\uy3khk20\uy3khk20.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [sunasDtServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [uy3khk20] C:\Program Files\uy3khk20\uy3khk20.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Linda Gillan"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... .0.0.8.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
lguk
Active Member
 
Posts: 6
Joined: June 13th, 2005, 4:51 pm

Unread postby LDTate » June 15th, 2005, 4:37 pm

I suggest you do this:

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: (no name) - {00000000-0000-4075-A63B-6D35FCF7DE30} - C:\Program Files\uy3khk20\uy3khk20.dll

O4 - HKLM\..\Run: [uy3khk20] C:\Program Files\uy3khk20\uy3khk20.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background


Close ALL windows and browsers except HijackThis and click "Fix checked"



Restart in Safe Mode:
Restart your computer.

Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.


Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.




Search for and delete these folders if listed:
C:\Program Files\uy3khk20


Search for and delete these files if listed:
C:\WINDOWS\Nail.exe


Open C:\Windows\Prefetch\ Delete ALL files in this folder.



Do this also if these Temp Folders are part of your OS.

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.


Next navigate to the C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty the Recycle Bin

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

another log

Unread postby lguk » June 15th, 2005, 6:01 pm

ok, the computer is working fine because I changed the 'folder option' settings back before coming out of 'safe mode' as i received a warning.
:)

Linda

Logfile of HijackThis v1.99.1
Scan saved at 22:53:26, on 15/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Linda Gillan\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/e ... efault.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/uk/e ... efault.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [sunasDtServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [uy3khk20] C:\Program Files\uy3khk20\uy3khk20.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Linda Gillan"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... .0.0.8.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
lguk
Active Member
 
Posts: 6
Joined: June 13th, 2005, 4:51 pm

Unread postby LDTate » June 15th, 2005, 6:09 pm

This bad guy is still there;
Were you able to delete the folder uy3khk20?

use ALT/CTRL/DEL (all 3 keys at the same time)and end the process for: uy3khk20.exe

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O4 - HKLM\..\Run: [uy3khk20] C:\Program Files\uy3khk20\uy3khk20.exe

Close ALL windows and browsers except HijackThis and click "Fix checked"

Delete Folder:
C:\Program Files\uy3khk20

Delete File
C:\Program Files\uy3khk20\uy3khk20.exe

Empty Recycle Bin

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

If it's still there, we'll have to try Killbox.
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

still more tho :-(

Unread postby lguk » June 15th, 2005, 6:39 pm

We seem to have got rid of 'uy3khk20.exe'. So couldn't end task as it wasn't there. The PC seems to operating ok (for a steam driven one that is :D )
Linda


Logfile of HijackThis v1.99.1
Scan saved at 23:33:36, on 15/06/2005



Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Linda Gillan\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/e ... efault.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/uk/e ... efault.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [sunasDtServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Linda Gillan"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... .0.0.8.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
lguk
Active Member
 
Posts: 6
Joined: June 13th, 2005, 4:51 pm

Unread postby LDTate » June 15th, 2005, 6:42 pm

Good Job 8)


Log looks good :D

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Click Start> My Computer, select the Tools menu and then Folder Options, after the new window appears select the View tab…]
This time select the: Restore Defaults
Select: Apply, and click OK




If you dont have these three programs I would recommend that you get them. [color=red]Spywareblaster[/color], [color=red]Spywareguard[/color] and [color=red]IESPY AD[/color]. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing. :D
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Thank for all your help

Unread postby lguk » June 16th, 2005, 2:10 pm

Hi. I want to thank you for all your help and support that you have given me over the last week; it has been very much appreciated. Its great to be able to run my spy ware program and get zero infections. I do have Norton anti virus but it didn’t do a very good job did it?
Thanks again.
Linda.
:lol:
lguk
Active Member
 
Posts: 6
Joined: June 13th, 2005, 4:51 pm

Unread postby LDTate » June 16th, 2005, 7:25 pm

I do have Norton anti virus but it didn’t do a very good job did it?
No one program can do it all.


Great job 8)

You're more then welcome.
Glad we were able to help

Peace be with you :D
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 48 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware