TheTechGuide Forum

General Category => Tech Clinic => Topic started by: tarzan on April 22, 2005, 02:57:08 PM

Title: My screen is blank, cant see desktop
Post by: tarzan on April 22, 2005, 02:57:08 PM

Hi all, i need some help. I got the dreaded smartsecurity virus last week, u know, the "usual" red screen with black square etc.. I tried to use hijack this, and i seemingly got rid of it, but i might have done something wrong, because 2 days later, i now have a blank screen. i cant see any of my desktop at all, i can't use the Start button neither. Just a plain blank turquoise blue screen. I am currently in safemode.

Please find my log below, and I would be most grateful to anyone who can help! /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />


Logfile of HijackThis v1.99.1
Scan saved at 20:49:43, on 22/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\dhdlalv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\hijackthis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [d3az32.exe] C:\WINDOWS\d3az32.exe
O4 - HKLM\..\Run: [bbdjjs] c:\windows\system32\dhdlalv.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com (http://\"http://register-tesco.qa.business.ntl.com\")
O15 - Trusted Zone: http://memberservices.tesco.net (http://\"http://memberservices.tesco.net\")
O15 - Trusted IP range: 66.197.161.149
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ipsm.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Title: My screen is blank, cant see desktop
Post by: tarzan on April 24, 2005, 02:19:33 PM

really need help guys...

i basically have a greenish- turquoise blueish screen when i switch on my computer. I can not see my desktop at all, and i can not use the Start option.

 Cntrl Alt del gives me the task manager,  but it wont even let me do a second cntrl alt del to shut down.

i am in safe mode at present.

Title: My screen is blank, cant see desktop
Post by: guestolo on April 24, 2005, 02:22:03 PM

You have a couple different problems on your computer

Can you repost a fresh hijackthis log and I'll reply at first oppurtunity

Title: My screen is blank, cant see desktop
Post by: tarzan on April 24, 2005, 03:35:22 PM

oh mate, I'd be most grateful for any help. here is the most recent log, done 2 minutes ago..

PS: as i mentioned earlier, i also had the smart-security virus, and i tried to delete it from hijackthis, following advice you gave to someone else..
PPS: i also keep getting an "aurora" pop up. it just ignores my popupstopper.
PPPS: in case u r wondering, i did have an antivirus (avast antivirus) but had to disable it while gettign rid of smartsecurity (which it hadnt been able to stop)

Logfile of HijackThis v1.99.1
Scan saved at 21:28:11, on 24/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\hjt\hijackthis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [d3az32.exe] C:\WINDOWS\d3az32.exe
O4 - HKLM\..\Run: [epdzfb] c:\windows\system32\juxtyn.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com (http://\"http://register-tesco.qa.business.ntl.com\")
O15 - Trusted Zone: http://memberservices.tesco.net (http://\"http://memberservices.tesco.net\")
O15 - Trusted IP range: 66.197.161.149
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ipsm.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Title: My screen is blank, cant see desktop
Post by: guestolo on April 24, 2005, 03:50:29 PM

I'm just on my way out the door, I need some information from you
Then we'll tackle your log later, I'll make sure I post when I get back

Can you do the following for me now
Please download Find_Its.zip from the link below
http://forums.net-integration.net/index.ph...=post&id=142443 (http://\"http://forums.net-integration.net/index.php?act=Attach&type=post&id=142443\")
UNZIP the contents to desktop
Open the FindIt's folder and double click on the FindIt's.bat

Wait for the log and post it back here

Title: My screen is blank, cant see desktop
Post by: tarzan on April 24, 2005, 04:22:31 PM

Thanks for your time, please find the log below. its 10.15pm here, and as u r going out, i'll therefore go to bed, rather than sit up waiting for u /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> lol i'll have a quick look in here in 7 hrs time, before going to work, to see if you were able to have a look at my nasty log in between yr other commitments. Thanks again.


Microsoft Windows XP [Version 5.1.2600]
The current date is: 24/04/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
 
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
 
* aurora  C:\WINDOWS\MURPZX.EXE
 
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first
 
* UPX!  C:\WINDOWS\System32\CCEUOVX.EXE
* UPX!  C:\WINDOWS\System32\INIT32M.EXE
* UPX!  C:\WINDOWS\System32\VXGAME3.EXE
* UPX!  C:\WINDOWS\NAIL.EXE
* UPX!  C:\WINDOWS\SSK_B5.EXE
* UPX!  C:\WINDOWS\SVCPROC.EXE
* UPX!  C:\WINDOWS\SYJLIO~1.EXE
 
* Sniffed  C:\WINDOWS\System32\DRPMON.DLL
»»»»» lagitamate file's can/will show in this section.
 
* UPX!  C:\WINDOWS\SASENT.DLL
* UPX!  C:\WINDOWS\SASETUP.DLL
* UPX!  C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* buddy  C:\WINDOWS\SYJLIO~1.EXE
 
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»
 
* SAHAgent  C:\WINDOWS\System32\Q17I9A4J.EXE
* SAHAgent  C:\WINDOWS\System32\70TOVMTO.INI
* SAHAgent  C:\WINDOWS\System32\AP9H4QMO.INI
* SAHAgent  C:\WINDOWS\System32\Q17I9A4J.INI
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
 
»»»»» Checking Windir\svcproc.exe and nail.exe.
 
 svcproc.exe
 Nail.exe
»»»»» Checking for System32\DrPMon.dll.
 
 DrPMon.dll
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.
 
 Volume in drive C has no label.
 Volume Serial Number is 3CC8-4744

 Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
 Volume in drive C has no label.
 Volume Serial Number is 3CC8-4744

 Directory of C:\WINDOWS\system32

 
»»»»»»»»»»»»»»»»»»»»»»»».
 

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Bolger


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
    <NO NAME>   REG_SZ   Bolger Functional Class


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}
    <NO NAME>   REG_SZ   IBolgerDllObj


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
    Driver   REG_SZ   DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
    Driver   REG_SZ   DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon
    Driver   REG_SZ   DrPMon.dll

Title: My screen is blank, cant see desktop
Post by: guestolo on April 24, 2005, 11:25:53 PM

You have some work ahead of you, but we should be able to get you clean

Download and save to a folder
Cleanall.zip
Unzip the contents so you now have fixdisply.reg>>remove.bat>>cwserviceremove.reg  in the same folder
We'll need these later
[attachment=167:attachment]

Download and save to a folder CWShredder.exe from my signature below

==Download and Unzip to a folder Hoster.zip (http://\"http://www.funkytoad.com/download/hoster.zip\")
We'll need this later

===Download to a folder
About:Buster.zip (http://\"http://www.malwarebytes.biz/AboutBuster.zip\")
by RubbeR Ducky
Unzip the contents, another folder will be placed inside
Open it and run About:buster.exe
Click the Update Button and check for updates, if any, download them
Then close it for now, we'll need this later

====Download the Pocket Killbox (http://\"http://www.downloads.subratam.org/KillBox.zip\")
UNZIP it to a folder of your choice

Save the rest of these instructions too a Notepad file and then disconnect from the Internet>>It's best to save this too notepad as I need you too copy and paste some directions
Close All browser windows, including this one

In SAFE MODE

Go to START>>>RUN>>>type in services.msc
and hit Enter
In the next window, look on the right hand side for this service
name---- System Startup Service

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Do the same for this service name
Network Security Service

Navigate to About:buster you unzipped and updated earlier
==Start About:Buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time. Save the log... Then hit exit
You may have to scan more than twice, try 3 or 4 times until no files or Data Streams are found

==Double click on cwserviceremove.reg you unzipped earlier
and allow to merge to the registry when prompted

Run Pocket KillBox>>Now killbox and this notepad file is open
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\d3az32.exe

Select the radio button to
 Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO

Do the same for these paths to the file names

c:\windows\system32\juxtyn.exe
C:\WINDOWS\System32\spoolsrv32.exe
C:\WINDOWS\ipsm.exe

C:\WINDOWS\MURPZX.EXE
C:\WINDOWS\System32\CCEUOVX.EXE
C:\WINDOWS\System32\INIT32M.EXE
C:\WINDOWS\System32\VXGAME3.EXE
C:\WINDOWS\NAIL.EXE

C:\WINDOWS\SSK_B5.EXE
C:\WINDOWS\SVCPROC.EXE
C:\WINDOWS\SYJLIO~1.EXE

C:\WINDOWS\SASENT.DLL
C:\WINDOWS\SASETUP.DLL

C:\WINDOWS\System32\Q17I9A4J.EXE
C:\WINDOWS\System32\70TOVMTO.INI
C:\WINDOWS\System32\AP9H4QMO.INI
C:\WINDOWS\System32\Q17I9A4J.INI

C:\WINDOWS\System32\DRPMON.DLL

Allow the computer to Reboot
or Restart anyways when you've entered the last full path to the file name
(Make sure you enter them all)
Can you please restart back to Safe mode
Don't worry about any file not found error messages if prompted

Find and delete this folder if it exists
C:\Windows\SYSTEM32\cache32_rtneg <-this folder

Go to START>>RUN>>type in
cmd
Hit OK

At the command prompt
type in the following>>(Enter) indicates hitting the Enter key on your keyboard
cd C:\Windows (Enter) <-notice single space after cd
nail.exe /FullRemove (Enter) <-space after exe
exit (enter)

After doing the above
Double click on remove.bat
You unzipped earlier
A dos window will open and close, this is normal

Double click on fixdsply.reg
Allow to merge to the registry at the prompt

Do another scan with Hijackthis and put a check next to these entries:
Not all may exist, but take a look

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [d3az32.exe] C:\WINDOWS\d3az32.exe
O4 - HKLM\..\Run: [epdzfb] c:\windows\system32\juxtyn.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O15 - Trusted IP range: 66.197.161.149

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ipsm.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't log off yet

==Open Hoster you unzipped earlier
Click the "Restore Original Hosts" button

==Run CWShredder.exe
Click the FIX button, let it fix what it finds
Afterwards

Restart back to Normal mode
Do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Click the Customize Desktop button.
5. Click the Web tab in the Desktop Items window.
6. Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything was unchecked

Post back a fresh hijackthis log>>try to post one in Normal mode
Also run FindIt's.bat again and post the log

We'll still have some cleaning to do, but this is a good start  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Please do as much of the above as you can before posting back as I may not see your updated logs until I get off work tomorrow

Title: My screen is blank, cant see desktop
Post by: tarzan on April 24, 2005, 11:50:24 PM

all noted. going offline now to excute the above and typing with all my fingers crossed...thanks for yr time

Title: My screen is blank, cant see desktop
Post by: Guest on April 25, 2005, 01:19:40 AM

i can now see my desktop, but as u said, some more stuf to be done lol .. please find pasted below my new hijack log. i'll post finditbat log in next reply

Logfile of HijackThis v1.99.1
Scan saved at 06:58:59, on 25/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
c:\windows\system32\nmrsnz.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\hijackthis.exe

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [rbrfks] c:\windows\system32\nmrsnz.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com (http://\"http://register-tesco.qa.business.ntl.com\")
O15 - Trusted Zone: http://memberservices.tesco.net (http://\"http://memberservices.tesco.net\")
O15 - Trusted IP range: 66.197.161.149
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")

Title: My screen is blank, cant see desktop
Post by: tarzan on April 25, 2005, 01:25:34 AM

me again - (i had forgotten to log in). following up on the above hjt log, pls find below my most recent finditbatlog.
thanks (I'm off to work - late lol  and i'll be back home in 13hrs (sad eh?! /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />:) ) to see if you had a chance to look at the logs.

Microsoft Windows XP [Version 5.1.2600]
The current date is: 25/04/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
 
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
 
 
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first
 
* UPX!  C:\WINDOWS\System32\NMRSNZ.EXE
 
»»»»» lagitamate file's can/will show in this section.
 
* UPX!  C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»
 
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
 
»»»»» Checking Windir\svcproc.exe and nail.exe.
 
»»»»» Checking for System32\DrPMon.dll.
 
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.
 
 Volume in drive C has no label.
 Volume Serial Number is 3CC8-4744

 Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
 Volume in drive C has no label.
 Volume Serial Number is 3CC8-4744

 Directory of C:\WINDOWS\system32

 
»»»»»»»»»»»»»»»»»»»»»»»».
 

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Bolger


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
    <NO NAME>   REG_SZ   Bolger Functional Class


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}
    <NO NAME>   REG_SZ   IBolgerDllObj


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
    Driver   REG_SZ   DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
    Driver   REG_SZ   DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon
    Driver   REG_SZ   DrPMon.dll

Title: My screen is blank, cant see desktop
Post by: guestolo on April 25, 2005, 01:30:50 AM

I'm off to bed and work also
So I won't be back online for about 16 hours  /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />

I forgot to ask you to post the logs from About:buster
If you saved them could you post them, if not, don't worry about it
I'll look over your logs when I get back from work
Still a bit more cleaning to do.......
Try not too restart the computer until we try some final fixes

Title: My screen is blank, cant see desktop
Post by: tarzan on April 25, 2005, 02:59:30 AM

am at work now, but yes i do remember saving the about buster file.. though this will mean switching on the comp.. will post it when i get home. (its my home comp which is infected)

Title: My screen is blank, cant see desktop
Post by: guestolo on April 25, 2005, 12:06:15 PM

Can we do the following

Download the RKFiles.zip
http://skads.org/special/rkfiles.zip (http://\"http://skads.org/special/rkfiles.zip\")
UNZIP the contents to it's own folder

===Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf (http://\"http://www.mvps.org/winhelp2002/DelDomains.inf\") and save it to desktop
We'll need this later>>If using a Mozilla browser, right click on that link and SAVE Link As, save it to desktop

Again, save these instructions too a notepad file
Disconnect from the Internet>>Close all browser windows

Do another scan with Hijackthis and put a check next to these entries:

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe

O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [rbrfks] c:\windows\system32\nmrsnz.exe

O15 - Trusted IP range: 66.197.161.149

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

Run Pocket KillBox>>Now killbox and this notepad file is open
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\System32\NMRSNZ.EXE

Select the radio button to
 Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO

Do the same for this  path to the file name

C:\WINDOWS\System32\msmsgs.exe

Allow the computer to Reboot
or Restart anyways when you've entered the last full path to the file name

Can you please restart back to Safe mode

In SAFE MODE

Open the folder you unzipped rkfiles.zip too
Double click to run Rkfiles.bat
Wait for the scan to finish, give this time
When it's done a log will be produced, save this log
By default, it is saved to C:\Log.txt

Restart back to Normal mode

Post back a fresh Hijackthis log and the log from Rkfiles.bat
AFTER posting the logs
Could you also post another log from FindIt's.bat

Title: My screen is blank, cant see desktop
Post by: tarzan on April 25, 2005, 04:20:42 PM

thanks.. in the meantime, here is that AB buster log we'd talked abt earlier. i will go offline and do all u've taken the time to write

 Scanned at: 06:03:52   on: 25/04/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 4 Random Key Entries
Removed! : C:\WINDOWS\System32\fhguv.dat
Removed! : C:\WINDOWS\System32\nthst32.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 06:06:13   on: 25/04/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 4 Random Key Entries
Removed! : C:\WINDOWS\System32\fhguv.dat
Removed! : C:\WINDOWS\System32\nthst32.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 3 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Title: My screen is blank, cant see desktop
Post by: tarzan on April 25, 2005, 05:14:29 PM

Logfile of HijackThis v1.99.1
Scan saved at 23:05:40, on 25/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\nvjcexf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\hijackthis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [mkqamh] c:\windows\system32\nvjcexf.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - c:\windows\SvcProc.exe

Title: My screen is blank, cant see desktop
Post by: tarzan on April 25, 2005, 05:15:50 PM

C:\hjt\rkfiles\rkfiles
 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\eipmgee.exe: UPX!
C:\WINDOWS\system32\atipatxx.exe: FSG!
C:\WINDOWS\system32\ntddetect.exe: FSG!
C:\WINDOWS\system32\TFTP1216: FSG!
C:\WINDOWS\system32\vxgame1.exe: FSG!
C:\WINDOWS\system32\vxh8jkdq7.exe: FSG!
C:\WINDOWS\system32\web.exe: FSG!
C:\WINDOWS\system32\winldra.exe: FSG!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\srpcsrv32.dll: PEC2
C:\WINDOWS\system32\txfdb32.dll: PEC2
 
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\Nail.exe: UPX!
C:\WINDOWS\svcproc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\sys1311.exe: FSG!
C:\WINDOWS\sys1313.exe: FSG!
C:\WINDOWS\sys1314.exe: FSG!
C:\WINDOWS\sys133.exe: FSG!
C:\WINDOWS\sys135.exe: FSG!
C:\WINDOWS\sys138.exe: FSG!
C:\WINDOWS\sys143.exe: FSG!
C:\WINDOWS\sys144.exe: FSG!
C:\WINDOWS\sys145.exe: FSG!
C:\WINDOWS\sys1810.exe: FSG!
C:\WINDOWS\sys1812.exe: FSG!
C:\WINDOWS\sys1814.exe: FSG!
C:\WINDOWS\sys1816.exe: FSG!
C:\WINDOWS\sys1818.exe: FSG!
C:\WINDOWS\sys1828.exe: FSG!
C:\WINDOWS\sys1829.exe: FSG!
C:\WINDOWS\sys1830.exe: FSG!
C:\WINDOWS\sys1836.exe: FSG!
C:\WINDOWS\sys1838.exe: FSG!
C:\WINDOWS\sys1839.exe: FSG!
C:\WINDOWS\sys1840.exe: FSG!
C:\WINDOWS\sys1841.exe: FSG!
C:\WINDOWS\sys187.exe: FSG!
C:\WINDOWS\sys2110.exe: FSG!
C:\WINDOWS\sys2111.exe: FSG!
C:\WINDOWS\sys2114.exe: FSG!
C:\WINDOWS\sys2117.exe: FSG!
C:\WINDOWS\sys2119.exe: FSG!
C:\WINDOWS\sys2122.exe: FSG!
C:\WINDOWS\sys2125.exe: FSG!
C:\WINDOWS\sys217.exe: FSG!
C:\WINDOWS\sys218.exe: FSG!
C:\WINDOWS\sys219.exe: FSG!
C:\WINDOWS\sys3429.exe: FSG!
C:\WINDOWS\sys3433.exe: FSG!
C:\WINDOWS\sys3436.exe: FSG!
C:\WINDOWS\sys3448.exe: FSG!
C:\WINDOWS\sys3452.exe: FSG!
C:\WINDOWS\sys3454.exe: FSG!
C:\WINDOWS\sys5757.exe: FSG!
C:\WINDOWS\sys5758.exe: FSG!
C:\WINDOWS\sys5759.exe: FSG!
C:\WINDOWS\sys580.exe: FSG!
C:\WINDOWS\sys581.exe: FSG!
C:\WINDOWS\sys5911.exe: FSG!
C:\WINDOWS\sys5916.exe: FSG!
C:\WINDOWS\sys5919.exe: FSG!
C:\WINDOWS\sys5923.exe: FSG!
C:\WINDOWS\sys5926.exe: FSG!
C:\WINDOWS\sys5929.exe: FSG!
Finished
bye

Title: My screen is blank, cant see desktop
Post by: tarzan on April 25, 2005, 05:26:11 PM

Microsoft Windows XP [Version 5.1.2600]
The current date is: 25/04/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
 
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
 
* aurora  C:\WINDOWS\MURPZX.EXE
 
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first
 
* UPX!  C:\WINDOWS\System32\NVJCEXF.EXE
* UPX!  C:\WINDOWS\NAIL.EXE
* UPX!  C:\WINDOWS\SVCPROC.EXE
 
* Sniffed  C:\WINDOWS\System32\DRPMON.DLL
»»»»» lagitamate file's can/will show in this section.
 
* UPX!  C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»
 
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
 
»»»»» Checking Windir\svcproc.exe and nail.exe.
 
 svcproc.exe
 Nail.exe
»»»»» Checking for System32\DrPMon.dll.
 
 DrPMon.dll
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.
 
 Volume in drive C has no label.
 Volume Serial Number is 3CC8-4744

 Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
 Volume in drive C has no label.
 Volume Serial Number is 3CC8-4744

 Directory of C:\WINDOWS\system32

 
»»»»»»»»»»»»»»»»»»»»»»»».
 

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Bolger


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
    <NO NAME>   REG_SZ   Bolger Functional Class


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}
    <NO NAME>   REG_SZ   IBolgerDllObj


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
    Driver   REG_SZ   DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
    Driver   REG_SZ   DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon
    Driver   REG_SZ   DrPMon.dll

Title: My screen is blank, cant see desktop
Post by: tarzan on April 25, 2005, 05:29:49 PM

some stuff has crept back.. damn.. i'll log bk in safemode tomoro (in 5 hrs actually)

Title: My screen is blank, cant see desktop
Post by: guestolo on April 25, 2005, 06:01:29 PM

Yup, still some work to do

Download and then Install
Ewido Trojan Scanner (http://\"http://www.ewido.net/en/download/\")

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido

Disconnect from the Internet

Go to START>>>RUN>>>type in services.msc
and hit Enter
In the next window, look on the right hand side for this service
name---- System Startup Service

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Run Pocket KillBox>>Now killbox and this notepad file is open
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\MURPZX.EXE

Select the radio button to
 Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO

Do the same for these paths to the file names

C:\WINDOWS\System32\NVJCEXF.EXE
C:\WINDOWS\SYSTEM32\DrPMon.dll
C:\WINDOWS\system32\eipmgee.exe

C:\WINDOWS\system32\atipatxx.exe
C:\WINDOWS\system32\ntddetect.exe
C:\WINDOWS\system32\TFTP1216
C:\WINDOWS\system32\vxgame1.exe
C:\WINDOWS\system32\vxh8jkdq7.exe
C:\WINDOWS\system32\web.exe
C:\WINDOWS\system32\winldra.exe

C:\WINDOWS\system32\srpcsrv32.dll
C:\WINDOWS\system32\txfdb32.dll
C:\WINDOWS\Nail.exe
C:\WINDOWS\svcproc.exe

C:\WINDOWS\sys1311.exe
C:\WINDOWS\sys1313.exe
C:\WINDOWS\sys1314.exe
C:\WINDOWS\sys133.exe
C:\WINDOWS\sys135.exe
C:\WINDOWS\sys138.exe
C:\WINDOWS\sys143.exe

C:\WINDOWS\sys144.exe
C:\WINDOWS\sys145.exe
C:\WINDOWS\sys1810.exe
C:\WINDOWS\sys1812.exe
C:\WINDOWS\sys1814.exe
C:\WINDOWS\sys1816.exe
C:\WINDOWS\sys1818.exe

C:\WINDOWS\sys1828.exe
C:\WINDOWS\sys1829.exe
C:\WINDOWS\sys1830.exe
C:\WINDOWS\sys1836.exe
C:\WINDOWS\sys1838.exe
C:\WINDOWS\sys1839.exe
C:\WINDOWS\sys1840.exe
C:\WINDOWS\sys1841.exe

C:\WINDOWS\sys187.exe
C:\WINDOWS\sys2110.exe
C:\WINDOWS\sys2111.exe
C:\WINDOWS\sys2114.exe
C:\WINDOWS\sys2117.exe
C:\WINDOWS\sys2119.exe
C:\WINDOWS\sys2122.exe

C:\WINDOWS\sys2125.exe
C:\WINDOWS\sys217.exe
C:\WINDOWS\sys218.exe
C:\WINDOWS\sys219.exe
C:\WINDOWS\sys3429.exe
C:\WINDOWS\sys3433.exe
C:\WINDOWS\sys3436.exe
C:\WINDOWS\sys3448.exe

C:\WINDOWS\sys3452.exe
C:\WINDOWS\sys3454.exe
C:\WINDOWS\sys5757.exe
C:\WINDOWS\sys5758.exe
C:\WINDOWS\sys5759.exe
C:\WINDOWS\sys580.exe
C:\WINDOWS\sys581.exe

C:\WINDOWS\sys5911.exe
C:\WINDOWS\sys5916.exe
C:\WINDOWS\sys5919.exe
C:\WINDOWS\sys5923.exe
C:\WINDOWS\sys5926.exe
C:\WINDOWS\sys5929.exe

Allow the computer to Reboot
or Restart anyways when you've entered the last full path to the file name
(Make sure you enter them all)
Can you please restart back to Safe mode

In Safe mode
Double click on Remove.bat that you unzipped earlier
Dos window opens and closes quickly

Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report

Do another scan with Hijackthis and put a check next to these entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [mkqamh] c:\windows\system32\nvjcexf.exe<--this entry may change names, but should still be found between the same  these 2 lines in the hijackthis scan
O4 - HKLM\..\Run: [DataLayer]
O4 - HKLM\..\Run: [mkqamh] c:\windows\system32\nvjcexf.exe
O4 - HKCU\..\Run: [CTFMON.EXE]

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart back to Normal mode

Post back a fresh Hijackthis log
Also a fresh log from RKFiles.bat and the report from Ewidos scan

Title: My screen is blank, cant see desktop
Post by: tarzan on April 26, 2005, 01:06:18 AM

i can see the ray of sunshine at the end of the tunnel.. what do u reckon?
PS: once u've okayed my logs, please let me know which antivirus to put on. (yeah i know they werent able to protect me last time around, but oh well /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> better to have something for the peace of mind! ) i only had avast + Adaware before the smartsecurity + aurora hit. is that enough?

Please find new logs below
Logfile of HijackThis v1.99.1
Scan saved at 06:58:21, on 26/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

Title: My screen is blank, cant see desktop
Post by: tarzan on April 26, 2005, 01:07:34 AM

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:         06:45:22, 26/04/2005
 + Report-Checksum:      996DF4F2

 + Date of database:      26/04/2005
 + Version of scan engine:   v3.0

 + Duration:            24 min
 + Scanned Files:         24761
 + Speed:            17.11 Files/Second
 + Infected files:         107
 + Removed files:         107
 + Files put in quarantine:      107
 + Files that could not be opened:   0
 + Files that could not be cleaned:   0

 + Binder:      Yes
 + Crypter:      Yes
 + Archives:      Yes

 + Scanned items:
   C:\

 + Scan result:
   C:\Documents and Settings\Family\Application Data\uoiв.exe -> TrojanDownloader.Agent.df -> Cleaned with backup
   C:\Documents and Settings\Family\Cookies\family@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\hjt\backups\backup-20050421-222752-908.dll -> TrojanDownloader.Agent.jb -> Cleaned with backup
   C:\m320!.exe -> Dialer.Generic -> Cleaned with backup
   C:\ml00!.exe -> TrojanDownloader.Small.aru -> Cleaned with backup
   C:\new.exe -> TrojanDownloader.Small.aod -> Cleaned with backup
   C:\Program Files\Zhwflzc\Dvwpne.exe -> Trojan.Small.cy -> Cleaned with backup
   C:\RECYCLER\S-1-5-21-1123561945-492894223-842925246-1004\Dc1.exe -> Not-A-Virus.PornWare.Downloader.Tibsystems -> Cleaned with backup
   C:\WINDOWS\Ahq.html -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Apa.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Aqf.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Asg.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Brr.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Buo.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Dna.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Dob.html -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\clientax.dll -> Spyware.180Solutions -> Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll -> Spyware.Gator.1019 -> Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\gbn283.exe -> Dialer.Generic -> Cleaned with backup
   C:\WINDOWS\Dvo.html -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\dvpd.dll -> Backdoor.Dumador.az -> Cleaned with backup
   C:\WINDOWS\Ehe.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Euq.html -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Fnf.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Ghi.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Gpr.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Hst.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Idm.html -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Ifu.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Ikl.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\installer_SIAC.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
   C:\WINDOWS\irzpx.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\Itc.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Jbg.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Jme.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Jvs.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Kvo.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Lhk.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Ljs.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Mcc.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Msb.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Obp.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Okf.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Pmh.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Pns.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\popup.html -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\prntsvra.dll -> Backdoor.Dumador.az -> Cleaned with backup
   C:\WINDOWS\Qib.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Qmg.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Rug.html -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Sci.html -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Shi.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Smh.html -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system\svchost.exe -> Backdoor.Agent.iw -> Cleaned with backup
   C:\WINDOWS\system32\aaa.dl_ -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\Afi.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Aum.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Bjc.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Bmo.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Bui.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Ckl.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Csm.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Eed.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Etp.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Feu.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\fghhpoo.exe -> Trojan.Agent.cp -> Cleaned with backup
   C:\WINDOWS\system32\Gai.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Gcj.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\hun32.dll -> TrojanProxy.Small.bk -> Cleaned with backup
   C:\WINDOWS\system32\ihdlbaa.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\Imh.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Ipj.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Jkb.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Krn.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Ksr.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Lnc.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Lvu.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\MatAdown.dll -> TrojanDownloader.Small.zk -> Cleaned with backup
   C:\WINDOWS\system32\mkbgbaa.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\Mrs.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Ncp.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\ngecaba.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\Okh.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Paa.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Pge.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Qjf.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Rfe.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Rga.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Rtc.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\svchost.dll -> Backdoor.Agent.iw -> Cleaned with backup
   C:\WINDOWS\system32\Tbs.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\thun32.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\Too.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Tql.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Ubg.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Vea.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Vhv.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\Vpq.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\vxh8jkdq2.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\system32\vxh8jkdq5.exe -> TrojanDownloader.Small.my -> Cleaned with backup
   C:\WINDOWS\system32\vxh8jkdq8.exe -> TrojanDownloader.Small.hx -> Cleaned with backup
   C:\WINDOWS\ucmoreiex.exe -> Spyware.Ucmore.a -> Cleaned with backup
   C:\WINDOWS\Ucp.html -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Ufn.html -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Ulf.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Vce.exe -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINDOWS\Vin.html -> Spyware.Spywad.b -> Cleaned with backup


::Report End

Title: My screen is blank, cant see desktop
Post by: tarzan on April 26, 2005, 01:33:19 AM

C:\hjt\rkfiles\rkfiles
 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
 
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

Title: My screen is blank, cant see desktop
Post by: tarzan on April 26, 2005, 01:36:01 AM

Again, Thanks for your time Guestolo, please find above all three logs as u requested.. any tips on what i should download to give my naked computer some protection wld be invaluable..

/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Title: My screen is blank, cant see desktop
Post by: tarzan on April 26, 2005, 06:50:06 PM

guestolo, while waiting for yr final green light, I have now :

1) disabled system restore/restarted comp/enabled system restore
2) downloaded + installed SpywareBlaster
3)downloaded + installed spywareguard
4) downloaded + installed IE-Spyad
5) Updated to latest Adaware
6)downloaded spybot s&d
7)downloaded + installed zonealarm
8) downloaded back avast - though it did let smartsecurity in

Title: My screen is blank, cant see desktop
Post by: tarzan on April 26, 2005, 07:40:18 PM

my most recent log with all the 8 steps above done:please let me know if all is good..

thanks,

Logfile of HijackThis v1.99.1
Scan saved at 01:39:16, on 27/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab (http://\"http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab\")
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Title: My screen is blank, cant see desktop
Post by: guestolo on April 26, 2005, 10:24:40 PM

Good work Tarzan, an anti-Virus alone is no good nowadays, but you put the appropriate protections on your computer

The last equation is making sure you check for latest critical updates and service pack 2 at Windows updates
Not including Recommended updates unless they are something you prefer

Before you update, which I recommend you do
Can you do the following please

Download and unzip to desktop clear.zip
So you now have clear.reg on the desktop
[attachment=173:attachment]
Double click on clear.reg and allow to merge to the registry
Restart your computer

Can you look for the presence of any of these files on your computer

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe

Could you also let me know if you see any of these folders
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

Let me know if you find any of them

Could you also download and unzip to desktop Files.zip
[attachment=174:attachment]
So you have the folder within extracted to desktop
Open the folder and double click on Find.bat
A text file will open, post the contents

Title: My screen is blank, cant see desktop
Post by: tarzan on April 27, 2005, 05:28:36 PM

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»
Scanning for file(s)...

Title: My screen is blank, cant see desktop
Post by: tarzan on April 27, 2005, 05:30:55 PM

i waited 10 min but all the log said i above.

i didnt see any of the files neither

you should be a genius guestolo  thanks so much!

Title: My screen is blank, cant see desktop
Post by: guestolo on April 27, 2005, 05:33:15 PM

Thanks for looking tarzan
It looks like Ewido took care of all other files I was looking for with find.bat

Good work

I would say we can call this one a wrap  /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Title: My screen is blank, cant see desktop
Post by: tarzan on April 27, 2005, 05:38:44 PM

you've singlehandedly got rid of smartsecurity....  

awsome!

(am currently on the windows critical updates site to wrap it all up and get some sleep in a month!)

u oughtta write a book or something..

PS: am a novice but you really explained all the steps to me and made each step crystal clear, so if you aren't writing a book, i think you oughtta write one soon!

thanks once again..