0

Hello everyone. I've had a problem that has been going on for about a week now and it is really starting to bother me. I hope you guys can help!

Like many posts before many have had the problems with random aurora pop ups and VX2 Malware... I have been following the directions to get it off my computer from a thread found here: http://www.daniweb.com/techtalkforums/thread24966.html. I have been following these directions exactly from this post by crunchy:

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file....050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

The only problem is that in my HijackThis, I don't have F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe.

Should I post my log here?

Please just tell me what I have to do to get this off my computer and thanks for any advice to help me get rid of this problem.

2
Contributors
12
Replies
13
Views
12 Years
Discussion Span
Last Post by dlh6213
0

Hi Andru, welcome to DaniWeb :D

Yes, go ahead and post your HijackThis log, but before doing so, please review the links in my signature block below.

When you post your HJT log please post your Ewido log as well.

0

My Hijack This Log

---------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 2:48:08 PM, on 7/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Mary Ann\Desktop\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [x7nP3tl] ifsmsnsv.exe
O4 - HKLM\..\Run: [2aflh47o] C:\WINDOWS\System32\2aflh47o.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [kwpepz] c:\windows\system32\zvvnmy.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [gw4FRjJ8h] iesrm.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - http://qp.clovisusd.k12.ca.us/qp2.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download/bargain_buddy/cab/installer_MARKETING48.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121206162575
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Mary Ann\Desktop\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Mary Ann\Desktop\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
------------------------------------


My Edwido Log
--------------------------------------------
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           2:47:31 PM, 7/28/2005
+ Report-Checksum:      8BE5216A


+ Scan result:


HKLM\SOFTWARE\AutoLoader -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\x04l1ZYQWRPW -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\x04z1ZYQWRPW -> Spyware.AproposMedia : Cleaned with backup
C:\Documents and Settings\Mary Ann\Cookies\mary [email]ann@abetterinternet[2].txt[/email] -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Mary Ann\Cookies\mary [email]ann@rotator.adjuggler[1].txt[/email] -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Program Files\NoAdware\NoAdwareBackup\2,22,2005_15,27,23.zip/mary [email]ann@casalemedia[1].txt[/email] -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\SurfAccuracy\SAccU.exe -> Spyware.SurfAccuracy : Cleaned with backup
C:\RECYCLER\NPROTECT\00169017.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\RECYCLER\NPROTECT\00169107.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00169108.EXE -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00169225.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00169229.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00169232.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00169247.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00169251.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00169317.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00169318.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00169319.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00169324.exe -> Spyware.SurfAccuracy : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP500\A0171211.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP500\A0171300.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP500\A0171385.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP500\A0171576.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP501\A0172189.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP501\A0172242.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP501\A0172282.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP501\A0172408.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP501\A0172419.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP501\A0172504.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP501\A0172633.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP501\A0172677.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP501\A0172697.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP501\A0172945.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP501\A0172978.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP501\A0173000.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP501\A0173047.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP501\A0174119.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP502\A0175223.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP502\A0177255.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177356.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177458.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177459.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177460.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177461.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177462.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177463.EXE -> TrojanDownloader.Apropo.g : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177464.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177465.EXE -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177466.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177467.EXE -> TrojanDownloader.Apropo.g : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177468.EXE -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177469.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177470.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177471.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177472.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177473.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177474.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177475.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177476.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177477.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177478.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177479.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177480.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177481.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177482.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177483.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177484.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177485.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177486.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177487.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177488.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177489.exe -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177490.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177491.dll -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177492.exe -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177493.exe -> Trojan.Popmon.a : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177501.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177504.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177505.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177506.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177514.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177517.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP503\A0177521.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP504\A0177530.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP504\A0177531.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP504\A0177534.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP505\A0177549.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP505\A0177550.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP505\A0177553.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\yhzusg.exe -> Adware.BetterInternet : Cleaned with backup



::Report End
------------------------------------------------

There's both of them and thanks dlh6213.

Edited by happygeek: fixed formatting

0

First, right-click on an empty area of your desktop and select New, Folder; give the new folder a name (something like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into the new folder.

Next, download, install, update, and run these utilities:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html
HSRemove -- http://www.majorgeeks.com/download4286.html
CCleaner –- http://www.filehippo.com/download/Qi6RR0U86febzhqUrQQIBQ2/download.html (don't run this one yet)

Then, scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [x7nP3tl] ifsmsnsv.exe
O4 - HKLM\..\Run: [2aflh47o] C:\WINDOWS\System32\2aflh47o.exe
O4 - HKLM\..\Run: [kwpepz] c:\windows\system32\zvvnmy.exe r
O4 - HKCU\..\Run: [gw4FRjJ8h] iesrm.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - http://qp.clovisusd.k12.ca.us/qp2.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/d...MARKETING48.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...b?1121206162575
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Close any open windows, other then HijackThis, and hit Fix checked.

In order to view some of the files and folders here, you will need to set your system up accordingly. Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and uncheck Hide protected operating system files.

Go to the following locations and delete the highlighted files and folder:

C:\WINDOWS\svcproc.exe
C:\WINDOWS\dsr.dll
C:\WINDOWS\System32\2aflh47o.exe
C:\windows\system32\zvvnmy.exe

C:\Program Files\SurfAccuracy

Do a search for these files and delete any instances found:

Ifsmsnsv.exe
Iiesrm.exe

If any of these files cannot be deleted, please reboot into Safe Mode and try again. Let us know which, if any, still could not be deleted.

Follow the instructions in post #2 of this thread -- http://www.daniweb.com/techtalkforums/thread28196.html

Now run CCleaner.

Reboot, close any open browser windows, scan with HijackThis, and post a new log please.

0

Most of the files couldn't be deleted... These were

C:\WINDOWS\svcproc.exe (couldn't find it)
C:\WINDOWS\dsr.dll (couldn't find it)
C:\WINDOWS\System2aflh47o.exe (This was a .ini file instead of .exe.)
C:\windows\system32\zvvnmy.exe (couldn't find it)

and the instance liesrm.exe wasn't found either.

Good news though. When I ran Ad-Ware (the program which I kept running to only keep finding VX2 no matter how many times i ran it) VX2 was no longer found! The computer's running much faster and I haven't encountered Aurora pop-ups yet!

Oh and by the way here's the logfile.

Logfile of HijackThis v1.99.1
Scan saved at 10:33:42 PM, on 7/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Documents and Settings\Mary Ann\Desktop\security suite\ewidoctrl.exe
C:\Documents and Settings\Mary Ann\Desktop\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\soundman.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Mary Ann\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.9 doxdesk.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Mary Ann\Desktop\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Mary Ann\Desktop\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks for all the help! :mrgreen:

0

It's getting better, but not clean yet.

Reboot into Safe Mode.

Scan with Ewido again, allowing it to fix whatever if finds.

Scan with HJT and have it fix the following entries:

R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.9 doxdesk.com
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Remember to close any open windows, other then HijackThis, before hitting Fix checked.

Do a search for svcproc.exe and delete any instances found (this is a part of Aurora and it's still showing in your log).

Also do a search for System2aflh47o and delete any instances found.

Empty your Recycle Bin and reboot normally.

Go to C:\WINDOWS\dinst.exe; right-click on it and select Properties. Give us whatever info you can on it (Company, version, etc.).

Close any open browser windows, scan with HJT, and post a new log along with the new Ewido log.

0

My Hijack This Log

Logfile of HijackThis v1.99.1
Scan saved at 8:27:00 PM, on 7/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\soundman.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mary Ann\Desktop\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - Unknown owner - C:\Documents and Settings\Mary Ann\Desktop\security suite\ewidoctrl.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


and here's my Ewido log


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           8:14:45 PM, 7/29/2005
+ Report-Checksum:      F1AC58E2


+ Scan result:


HKLM\SOFTWARE\AutoLoader -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\x04l1ZYQWRPW -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\x04z1ZYQWRPW -> Spyware.AproposMedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00169781.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\RECYCLER\NPROTECT\00170278.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\RECYCLER\NPROTECT\00170407.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP506\A0178717.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP506\A0178765.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP506\A0178833.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup



::Report End

When I had searched, neither svcproc.exe or System2aflh47o could be found.

Also when I looked in the properties of the dinst.exe, I didn't see any information about company or version. Sorry but could you be more specific about how to find these? Thanks.

Edited by happygeek: fixed formatting

0

I was pretty sure dinst.exe was bad, the lack of information in Properties confirms this hunch.

Did you already delete System2aflh47o.ini before?

Be sure you have your system set to Show hidden files and folders -- Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and uncheck Hide protected operating system files.

Open the Services utility in your Administrative Tools control panel.

In the list of services, locate the service named System Startup Service or SvcProc and double-click on it.

In the General tab of the Properties window that opens, click the Stop button; once the service is stopped, choose Disabled in the Startup Type drop-down menu and then click OK. Close the Services utility.

Disconnect from the internet and reboot into Safe Mode.

Double-click on the Nailfix.cmd that is on your desktop.

Again, run a full system scan with Ewido, allowing it to fix whatever it finds.

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Remember to close any open windows before hitting Fix checked.

Go to the following locations and delete the highlighted files:

C:\WINDOWS\dsr.dll
C:\WINDOWS\dinst.exe

Empty your Recycle Bin.

Open HijackThis and click on the Config... button in the lower right corner of the main window. In the next window, click on the Misc Tools button at the top, and then click the Delete a file on reboot... button. Type (or copy & paste) svcproc into the box, and click Open. A new window will pop up asking if you want to restart your computer now; click Yes.

Allow your computer to reboot normally.

Do a search for dsr.dll and svcproc and delete any instances found. If any are found, and cannot be deleted, repeat the HJT 'delete on reboot' instructions.

Close any open browser windows, scan with HJT, and post a new log along with the new Ewido log.

0

uncheck Hide protected operating system files.

Forgot to do this part.... sorry. Now I'll uncheck it and follow the steps you have provided.

0
Logfile of HijackThis v1.99.1
Scan saved at 2:14:29 PM, on 7/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\soundman.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Mary Ann\Desktop\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - Unknown owner - C:\Documents and Settings\Mary Ann\Desktop\security suite\ewidoctrl.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           1:57:01 PM, 7/30/2005
+ Report-Checksum:      41FCC3C5


+ Scan result:


C:\Documents and Settings\Mary Ann\Cookies\mary [email]ann@rotator.adjuggler[1].txt[/email] -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Mary Ann\Cookies\mary [email]ann@statcounter[1].txt[/email] -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Mary Ann\Cookies\mary [email]ann@www.myaffiliateprogram[2].txt[/email] -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP506\A0179841.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP506\A0179842.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP506\A0179843.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP506\A0179844.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{118564D0-8B24-4DBE-9C86-9D4F300AE0BF}\RP506\A0179845.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup



::Report End

There's both of the logs.

Edited by happygeek: fixed formatting

0

Everything is fine. My computer is running faster, no more Aurora Pop-ups, and VX2 is no longer showing up. Thanks for everything dlh6213. :mrgreen:

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.