Author Topic: My screen is blank, cant see desktop (Read 3993 times)

tarzan · « **on:** April 22, 2005, 02:57:08 PM »

Hi all, i need some help. I got the dreaded smartsecurity virus last week, u know, the "usual" red screen with black square etc.. I tried to use hijack this, and i seemingly got rid of it, but i might have done something wrong, because 2 days later, i now have a blank screen. i cant see any of my desktop at all, i can't use the Start button neither. Just a plain blank turquoise blue screen. I am currently in safemode.

Please find my log below, and I would be most grateful to anyone who can help!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Logfile of HijackThis v1.99.1
Scan saved at 20:49:43, on 22/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\dhdlalv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\hijackthis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [d3az32.exe] C:\WINDOWS\d3az32.exe
O4 - HKLM\..\Run: [bbdjjs] c:\windows\system32\dhdlalv.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com
O15 - Trusted Zone: http://memberservices.tesco.net
O15 - Trusted IP range: 66.197.161.149
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ipsm.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

tarzan · « **Reply #1 on:** April 24, 2005, 02:19:33 PM »

really need help guys...

i basically have a greenish- turquoise blueish screen when i switch on my computer. I can not see my desktop at all, and i can not use the Start option.

Cntrl Alt del gives me the task manager, but it wont even let me do a second cntrl alt del to shut down.

i am in safe mode at present.

guestolo · « **Reply #2 on:** April 24, 2005, 02:22:03 PM »

You have a couple different problems on your computer

Can you repost a fresh hijackthis log and I'll reply at first oppurtunity

tarzan · « **Reply #3 on:** April 24, 2005, 03:35:22 PM »

oh mate, I'd be most grateful for any help. here is the most recent log, done 2 minutes ago..

PS: as i mentioned earlier, i also had the smart-security virus, and i tried to delete it from hijackthis, following advice you gave to someone else..
PPS: i also keep getting an "aurora" pop up. it just ignores my popupstopper.
PPPS: in case u r wondering, i did have an antivirus (avast antivirus) but had to disable it while gettign rid of smartsecurity (which it hadnt been able to stop)

Logfile of HijackThis v1.99.1
Scan saved at 21:28:11, on 24/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\hjt\hijackthis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [d3az32.exe] C:\WINDOWS\d3az32.exe
O4 - HKLM\..\Run: [epdzfb] c:\windows\system32\juxtyn.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com
O15 - Trusted Zone: http://memberservices.tesco.net
O15 - Trusted IP range: 66.197.161.149
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ipsm.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

guestolo · « **Reply #4 on:** April 24, 2005, 03:50:29 PM »

I'm just on my way out the door, I need some information from you
Then we'll tackle your log later, I'll make sure I post when I get back

Can you do the following for me now
Please download Find_Its.zip from the link below
http://forums.net-integration.net/index.ph...=post&id=142443
UNZIP the contents to desktop
Open the FindIt's folder and double click on the FindIt's.bat

Wait for the log and post it back here

tarzan · « **Reply #5 on:** April 24, 2005, 04:22:31 PM »

Thanks for your time, please find the log below. its 10.15pm here, and as u r going out, i'll therefore go to bed, rather than sit up waiting for u

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' /> lol i'll have a quick look in here in 7 hrs time, before going to work, to see if you were able to have a look at my nasty log in between yr other commitments. Thanks again.

Microsoft Windows XP [Version 5.1.2600]
The current date is: 24/04/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

* aurora C:\WINDOWS\MURPZX.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\CCEUOVX.EXE
* UPX! C:\WINDOWS\System32\INIT32M.EXE
* UPX! C:\WINDOWS\System32\VXGAME3.EXE
* UPX! C:\WINDOWS\NAIL.EXE
* UPX! C:\WINDOWS\SSK_B5.EXE
* UPX! C:\WINDOWS\SVCPROC.EXE
* UPX! C:\WINDOWS\SYJLIO~1.EXE

* Sniffed C:\WINDOWS\System32\DRPMON.DLL
»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\SASENT.DLL
* UPX! C:\WINDOWS\SASETUP.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* buddy C:\WINDOWS\SYJLIO~1.EXE

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

* SAHAgent C:\WINDOWS\System32\Q17I9A4J.EXE
* SAHAgent C:\WINDOWS\System32\70TOVMTO.INI
* SAHAgent C:\WINDOWS\System32\AP9H4QMO.INI
* SAHAgent C:\WINDOWS\System32\Q17I9A4J.INI
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»» Checking Windir\svcproc.exe and nail.exe.

svcproc.exe
Nail.exe
»»»»» Checking for System32\DrPMon.dll.

DrPMon.dll
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 3CC8-4744

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 3CC8-4744

Directory of C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»».

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Bolger

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
<NO NAME>   REG_SZ   Bolger Functional Class

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}
<NO NAME>   REG_SZ   IBolgerDllObj

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver   REG_SZ   DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver   REG_SZ   DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon
Driver   REG_SZ   DrPMon.dll

guestolo · « **Reply #6 on:** April 24, 2005, 11:25:53 PM »

You have some work ahead of you, but we should be able to get you clean

Download and save to a folder
Cleanall.zip
Unzip the contents so you now have fixdisply.reg>>remove.bat>>cwserviceremove.reg in the same folder
We'll need these later
[attachment=167:attachment]

Download and save to a folder CWShredder.exe from my signature below

==Download and Unzip to a folder Hoster.zip
We'll need this later

===Download to a folder
About:Buster.zip
by RubbeR Ducky
Unzip the contents, another folder will be placed inside
Open it and run About:buster.exe
Click the Update Button and check for updates, if any, download them
Then close it for now, we'll need this later

====Download the Pocket Killbox
UNZIP it to a folder of your choice

Save the rest of these instructions too a Notepad file and then disconnect from the Internet>>It's best to save this too notepad as I need you too copy and paste some directions
Close All browser windows, including this one

In SAFE MODE

Go to START>>>RUN>>>type in services.msc
and hit Enter
In the next window, look on the right hand side for this service
name---- System Startup Service

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Do the same for this service name
Network Security Service

Navigate to About:buster you unzipped and updated earlier
==Start About:Buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time. Save the log... Then hit exit
You may have to scan more than twice, try 3 or 4 times until no files or Data Streams are found

==Double click on cwserviceremove.reg you unzipped earlier
and allow to merge to the registry when prompted

Run Pocket KillBox>>Now killbox and this notepad file is open
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\d3az32.exe

Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO

Do the same for these paths to the file names

c:\windows\system32\juxtyn.exe
C:\WINDOWS\System32\spoolsrv32.exe
C:\WINDOWS\ipsm.exe

C:\WINDOWS\MURPZX.EXE
C:\WINDOWS\System32\CCEUOVX.EXE
C:\WINDOWS\System32\INIT32M.EXE
C:\WINDOWS\System32\VXGAME3.EXE
C:\WINDOWS\NAIL.EXE

C:\WINDOWS\SSK_B5.EXE
C:\WINDOWS\SVCPROC.EXE
C:\WINDOWS\SYJLIO~1.EXE

C:\WINDOWS\SASENT.DLL
C:\WINDOWS\SASETUP.DLL

C:\WINDOWS\System32\Q17I9A4J.EXE
C:\WINDOWS\System32\70TOVMTO.INI
C:\WINDOWS\System32\AP9H4QMO.INI
C:\WINDOWS\System32\Q17I9A4J.INI

C:\WINDOWS\System32\DRPMON.DLL

Allow the computer to Reboot
or Restart anyways when you've entered the last full path to the file name
(Make sure you enter them all)
Can you please restart back to Safe mode
Don't worry about any file not found error messages if prompted

Find and delete this folder if it exists
C:\Windows\SYSTEM32\cache32_rtneg <-this folder

Go to START>>RUN>>type in
cmd
Hit OK

At the command prompt
type in the following>>(Enter) indicates hitting the Enter key on your keyboard
cd C:\Windows (Enter) <-notice single space after cd
nail.exe /FullRemove (Enter) <-space after exe
exit (enter)

After doing the above
Double click on remove.bat
You unzipped earlier
A dos window will open and close, this is normal

Double click on fixdsply.reg
Allow to merge to the registry at the prompt

Do another scan with Hijackthis and put a check next to these entries:
Not all may exist, but take a look

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [d3az32.exe] C:\WINDOWS\d3az32.exe
O4 - HKLM\..\Run: [epdzfb] c:\windows\system32\juxtyn.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O15 - Trusted IP range: 66.197.161.149

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ipsm.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't log off yet

==Open Hoster you unzipped earlier
Click the "Restore Original Hosts" button

==Run CWShredder.exe
Click the FIX button, let it fix what it finds
Afterwards

Restart back to Normal mode
Do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Click the Customize Desktop button.
5. Click the Web tab in the Desktop Items window.
6. Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything was unchecked

Post back a fresh hijackthis log>>try to post one in Normal mode
Also run FindIt's.bat again and post the log

We'll still have some cleaning to do, but this is a good start

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />
Please do as much of the above as you can before posting back as I may not see your updated logs until I get off work tomorrow

tarzan · « **Reply #7 on:** April 24, 2005, 11:50:24 PM »

all noted. going offline now to excute the above and typing with all my fingers crossed...thanks for yr time

Guest · « **Reply #8 on:** April 25, 2005, 01:19:40 AM »

i can now see my desktop, but as u said, some more stuf to be done lol .. please find pasted below my new hijack log. i'll post finditbat log in next reply

Logfile of HijackThis v1.99.1
Scan saved at 06:58:59, on 25/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
c:\windows\system32\nmrsnz.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\hijackthis.exe

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [rbrfks] c:\windows\system32\nmrsnz.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com
O15 - Trusted Zone: http://memberservices.tesco.net
O15 - Trusted IP range: 66.197.161.149
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

tarzan · « **Reply #9 on:** April 25, 2005, 01:25:34 AM »

me again - (i had forgotten to log in). following up on the above hjt log, pls find below my most recent finditbatlog.
thanks (I'm off to work - late lol and i'll be back home in 13hrs (sad eh?!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

) to see if you had a chance to look at the logs.

Microsoft Windows XP [Version 5.1.2600]
The current date is: 25/04/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\NMRSNZ.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 3CC8-4744

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 3CC8-4744

Directory of C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»».

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Bolger

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
<NO NAME>   REG_SZ   Bolger Functional Class

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}
<NO NAME>   REG_SZ   IBolgerDllObj

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver   REG_SZ   DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver   REG_SZ   DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon
Driver   REG_SZ   DrPMon.dll

guestolo · « **Reply #10 on:** April 25, 2005, 01:30:50 AM »

I'm off to bed and work also
So I won't be back online for about 16 hours

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' />

I forgot to ask you to post the logs from About:buster
If you saved them could you post them, if not, don't worry about it
I'll look over your logs when I get back from work
Still a bit more cleaning to do.......
Try not too restart the computer until we try some final fixes

tarzan · « **Reply #11 on:** April 25, 2005, 02:59:30 AM »

am at work now, but yes i do remember saving the about buster file.. though this will mean switching on the comp.. will post it when i get home. (its my home comp which is infected)

guestolo · « **Reply #12 on:** April 25, 2005, 12:06:15 PM »

Can we do the following

Download the RKFiles.zip
http://skads.org/special/rkfiles.zip
UNZIP the contents to it's own folder

===Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf and save it to desktop
We'll need this later>>If using a Mozilla browser, right click on that link and SAVE Link As, save it to desktop

Again, save these instructions too a notepad file
Disconnect from the Internet>>Close all browser windows

Do another scan with Hijackthis and put a check next to these entries:

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe

O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [rbrfks] c:\windows\system32\nmrsnz.exe

O15 - Trusted IP range: 66.197.161.149

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

Run Pocket KillBox>>Now killbox and this notepad file is open
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\System32\NMRSNZ.EXE

Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO

Do the same for this path to the file name

C:\WINDOWS\System32\msmsgs.exe

Allow the computer to Reboot
or Restart anyways when you've entered the last full path to the file name

Can you please restart back to Safe mode

In SAFE MODE

Open the folder you unzipped rkfiles.zip too
Double click to run Rkfiles.bat
Wait for the scan to finish, give this time
When it's done a log will be produced, save this log
By default, it is saved to C:\Log.txt

Restart back to Normal mode

Post back a fresh Hijackthis log and the log from Rkfiles.bat
AFTER posting the logs
Could you also post another log from FindIt's.bat

tarzan · « **Reply #13 on:** April 25, 2005, 04:20:42 PM »

thanks.. in the meantime, here is that AB buster log we'd talked abt earlier. i will go offline and do all u've taken the time to write

Scanned at: 06:03:52 on: 25/04/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 4 Random Key Entries
Removed! : C:\WINDOWS\System32\fhguv.dat
Removed! : C:\WINDOWS\System32\nthst32.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Scanned at: 06:06:13 on: 25/04/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 4 Random Key Entries
Removed! : C:\WINDOWS\System32\fhguv.dat
Removed! : C:\WINDOWS\System32\nthst32.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 3 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

tarzan · « **Reply #14 on:** April 25, 2005, 05:14:29 PM »

Logfile of HijackThis v1.99.1
Scan saved at 23:05:40, on 25/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\nvjcexf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\hijackthis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [mkqamh] c:\windows\system32\nvjcexf.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe

tarzan · « **Reply #15 on:** April 25, 2005, 05:15:50 PM »

C:\hjt\rkfiles\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\eipmgee.exe: UPX!
C:\WINDOWS\system32\atipatxx.exe: FSG!
C:\WINDOWS\system32\ntddetect.exe: FSG!
C:\WINDOWS\system32\TFTP1216: FSG!
C:\WINDOWS\system32\vxgame1.exe: FSG!
C:\WINDOWS\system32\vxh8jkdq7.exe: FSG!
C:\WINDOWS\system32\web.exe: FSG!
C:\WINDOWS\system32\winldra.exe: FSG!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\srpcsrv32.dll: PEC2
C:\WINDOWS\system32\txfdb32.dll: PEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\Nail.exe: UPX!
C:\WINDOWS\svcproc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\sys1311.exe: FSG!
C:\WINDOWS\sys1313.exe: FSG!
C:\WINDOWS\sys1314.exe: FSG!
C:\WINDOWS\sys133.exe: FSG!
C:\WINDOWS\sys135.exe: FSG!
C:\WINDOWS\sys138.exe: FSG!
C:\WINDOWS\sys143.exe: FSG!
C:\WINDOWS\sys144.exe: FSG!
C:\WINDOWS\sys145.exe: FSG!
C:\WINDOWS\sys1810.exe: FSG!
C:\WINDOWS\sys1812.exe: FSG!
C:\WINDOWS\sys1814.exe: FSG!
C:\WINDOWS\sys1816.exe: FSG!
C:\WINDOWS\sys1818.exe: FSG!
C:\WINDOWS\sys1828.exe: FSG!
C:\WINDOWS\sys1829.exe: FSG!
C:\WINDOWS\sys1830.exe: FSG!
C:\WINDOWS\sys1836.exe: FSG!
C:\WINDOWS\sys1838.exe: FSG!
C:\WINDOWS\sys1839.exe: FSG!
C:\WINDOWS\sys1840.exe: FSG!
C:\WINDOWS\sys1841.exe: FSG!
C:\WINDOWS\sys187.exe: FSG!
C:\WINDOWS\sys2110.exe: FSG!
C:\WINDOWS\sys2111.exe: FSG!
C:\WINDOWS\sys2114.exe: FSG!
C:\WINDOWS\sys2117.exe: FSG!
C:\WINDOWS\sys2119.exe: FSG!
C:\WINDOWS\sys2122.exe: FSG!
C:\WINDOWS\sys2125.exe: FSG!
C:\WINDOWS\sys217.exe: FSG!
C:\WINDOWS\sys218.exe: FSG!
C:\WINDOWS\sys219.exe: FSG!
C:\WINDOWS\sys3429.exe: FSG!
C:\WINDOWS\sys3433.exe: FSG!
C:\WINDOWS\sys3436.exe: FSG!
C:\WINDOWS\sys3448.exe: FSG!
C:\WINDOWS\sys3452.exe: FSG!
C:\WINDOWS\sys3454.exe: FSG!
C:\WINDOWS\sys5757.exe: FSG!
C:\WINDOWS\sys5758.exe: FSG!
C:\WINDOWS\sys5759.exe: FSG!
C:\WINDOWS\sys580.exe: FSG!
C:\WINDOWS\sys581.exe: FSG!
C:\WINDOWS\sys5911.exe: FSG!
C:\WINDOWS\sys5916.exe: FSG!
C:\WINDOWS\sys5919.exe: FSG!
C:\WINDOWS\sys5923.exe: FSG!
C:\WINDOWS\sys5926.exe: FSG!
C:\WINDOWS\sys5929.exe: FSG!
Finished
bye

tarzan · « **Reply #16 on:** April 25, 2005, 05:26:11 PM »

Microsoft Windows XP [Version 5.1.2600]
The current date is: 25/04/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

* aurora C:\WINDOWS\MURPZX.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\NVJCEXF.EXE
* UPX! C:\WINDOWS\NAIL.EXE
* UPX! C:\WINDOWS\SVCPROC.EXE

* Sniffed C:\WINDOWS\System32\DRPMON.DLL
»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»» Checking Windir\svcproc.exe and nail.exe.

svcproc.exe
Nail.exe
»»»»» Checking for System32\DrPMon.dll.

DrPMon.dll
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 3CC8-4744

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 3CC8-4744

Directory of C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»».

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Bolger

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
<NO NAME>   REG_SZ   Bolger Functional Class

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}
<NO NAME>   REG_SZ   IBolgerDllObj

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver   REG_SZ   DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver   REG_SZ   DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon
Driver   REG_SZ   DrPMon.dll

tarzan · « **Reply #17 on:** April 25, 2005, 05:29:49 PM »

some stuff has crept back.. damn.. i'll log bk in safemode tomoro (in 5 hrs actually)

guestolo · « **Reply #18 on:** April 25, 2005, 06:01:29 PM »

Yup, still some work to do

Download and then Install
Ewido Trojan Scanner

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido

Disconnect from the Internet

Go to START>>>RUN>>>type in services.msc
and hit Enter
In the next window, look on the right hand side for this service
name---- System Startup Service

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Run Pocket KillBox>>Now killbox and this notepad file is open
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\MURPZX.EXE

Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO

Do the same for these paths to the file names

C:\WINDOWS\System32\NVJCEXF.EXE
C:\WINDOWS\SYSTEM32\DrPMon.dll
C:\WINDOWS\system32\eipmgee.exe

C:\WINDOWS\system32\atipatxx.exe
C:\WINDOWS\system32\ntddetect.exe
C:\WINDOWS\system32\TFTP1216
C:\WINDOWS\system32\vxgame1.exe
C:\WINDOWS\system32\vxh8jkdq7.exe
C:\WINDOWS\system32\web.exe
C:\WINDOWS\system32\winldra.exe

C:\WINDOWS\system32\srpcsrv32.dll
C:\WINDOWS\system32\txfdb32.dll
C:\WINDOWS\Nail.exe
C:\WINDOWS\svcproc.exe

C:\WINDOWS\sys1311.exe
C:\WINDOWS\sys1313.exe
C:\WINDOWS\sys1314.exe
C:\WINDOWS\sys133.exe
C:\WINDOWS\sys135.exe
C:\WINDOWS\sys138.exe
C:\WINDOWS\sys143.exe

C:\WINDOWS\sys144.exe
C:\WINDOWS\sys145.exe
C:\WINDOWS\sys1810.exe
C:\WINDOWS\sys1812.exe
C:\WINDOWS\sys1814.exe
C:\WINDOWS\sys1816.exe
C:\WINDOWS\sys1818.exe

C:\WINDOWS\sys1828.exe
C:\WINDOWS\sys1829.exe
C:\WINDOWS\sys1830.exe
C:\WINDOWS\sys1836.exe
C:\WINDOWS\sys1838.exe
C:\WINDOWS\sys1839.exe
C:\WINDOWS\sys1840.exe
C:\WINDOWS\sys1841.exe

C:\WINDOWS\sys187.exe
C:\WINDOWS\sys2110.exe
C:\WINDOWS\sys2111.exe
C:\WINDOWS\sys2114.exe
C:\WINDOWS\sys2117.exe
C:\WINDOWS\sys2119.exe
C:\WINDOWS\sys2122.exe

C:\WINDOWS\sys2125.exe
C:\WINDOWS\sys217.exe
C:\WINDOWS\sys218.exe
C:\WINDOWS\sys219.exe
C:\WINDOWS\sys3429.exe
C:\WINDOWS\sys3433.exe
C:\WINDOWS\sys3436.exe
C:\WINDOWS\sys3448.exe

C:\WINDOWS\sys3452.exe
C:\WINDOWS\sys3454.exe
C:\WINDOWS\sys5757.exe
C:\WINDOWS\sys5758.exe
C:\WINDOWS\sys5759.exe
C:\WINDOWS\sys580.exe
C:\WINDOWS\sys581.exe

C:\WINDOWS\sys5911.exe
C:\WINDOWS\sys5916.exe
C:\WINDOWS\sys5919.exe
C:\WINDOWS\sys5923.exe
C:\WINDOWS\sys5926.exe
C:\WINDOWS\sys5929.exe

Allow the computer to Reboot
or Restart anyways when you've entered the last full path to the file name
(Make sure you enter them all)
Can you please restart back to Safe mode

In Safe mode
Double click on Remove.bat that you unzipped earlier
Dos window opens and closes quickly

Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report

Do another scan with Hijackthis and put a check next to these entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [mkqamh] c:\windows\system32\nvjcexf.exe<--this entry may change names, but should still be found between the same these 2 lines in the hijackthis scan
O4 - HKLM\..\Run: [DataLayer]
O4 - HKLM\..\Run: [mkqamh] c:\windows\system32\nvjcexf.exe
O4 - HKCU\..\Run: [CTFMON.EXE]

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart back to Normal mode

Post back a fresh Hijackthis log
Also a fresh log from RKFiles.bat and the report from Ewidos scan

tarzan · « **Reply #19 on:** April 26, 2005, 01:06:18 AM »

i can see the ray of sunshine at the end of the tunnel.. what do u reckon?
PS: once u've okayed my logs, please let me know which antivirus to put on. (yeah i know they werent able to protect me last time around, but oh well

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' /> better to have something for the peace of mind! ) i only had avast + Adaware before the smartsecurity + aurora hit. is that enough?

Please find new logs below
Logfile of HijackThis v1.99.1
Scan saved at 06:58:21, on 26/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

News:

Author Topic: My screen is blank, cant see desktop (Read 3993 times)

Guest