Hi. I'm another person who has the Aurora popup. I wanted to follow instructions and not have to bother you guys with my own topic, but I can't seem to translate the instructions from being relevant to someone else to being relevant to me. So here we go.
I'm posting a logfile from HijackThis. My Windows folder is F:\FCKYOU2, due to my getting very frustrated a couple of years ago when I had to reinstall repeatedly. I apologize for the er, obscenity.
Also, I use FireFox now, not IE. I got the infection from using IE.


Logfile of HijackThis v1.99.1
Scan saved at 7:38:06 AM, on 8/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\FCKYOU2\System32\smss.exe
F:\FCKYOU2\system32\winlogon.exe
F:\FCKYOU2\system32\services.exe
F:\FCKYOU2\system32\lsass.exe
F:\FCKYOU2\system32\svchost.exe
F:\FCKYOU2\System32\svchost.exe
F:\FCKYOU2\system32\spoolsv.exe
F:\FCKYOU2\Explorer.exe
F:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
F:\FCKYOU2\TPPALDR.EXE
F:\FCKYOU2\system32\cisvc.exe
F:\FCKYOU2\system32\srvany.exe
F:\FCKYOU2\system32\resetservice.exe
F:\FCKYOU2\System32\svchost.exe
f:\fckyou2\system32\scbemrb.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Documents and Settings\Shenzie\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = E:\\FCKYOU2\SYSTEM32\BLANK.HTM
F2 - REG:system.ini: Shell=Explorer.exe F:\FCKYOU2\Nail.exe
F2 - REG:system.ini: UserInit=F:\FCKYOU2\System32\Userinit.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - F:\FCKYOU2\dsr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - F:\Program Files\Shareaza\Plugins\RazaWebHook.dll
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - F:\FCKYOU2\AuroraHandler.dll
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - F:\FCKYOU2\System32\vtduccli.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - F:\FCKYOU2\System32\dsktrf.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - F:\FCKYOU2\System32\richedtr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Entropia Client] F:\Program Files\Entropia\Entropia Client\bin\Launcher.exe -Startup
O4 - HKLM\..\Run: [Babylon Client] F:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [ClamWin] "F:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [DXDllRegExe] F:\FCKYOU2\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
O4 - HKLM\..\Run: [TPP Auto Loader] F:\FCKYOU2\TPPALDR.EXE
O4 - HKLM\..\Run: [richup] F:\FCKYOU2\System32\richup.exe
O4 - HKLM\..\Run: [lanbrup] F:\FCKYOU2\System32\lanbrup.exe
O4 - HKLM\..\Run: [2p1ebr65] F:\FCKYOU2\System32\2p1ebr65.exe
O4 - HKLM\..\Run: [Sysnet] F:\DOCUME~1\Shenzie\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [Dinst] F:\FCKYOU2\dinst.exe
O4 - HKLM\..\Run: [aqlvenc] F:\FCKYOU2\aqlvenc.EXE
O4 - HKLM\..\Run: [byxeipa] F:\FCKYOU2\byxeipa.EXE
O4 - HKLM\..\Run: [juprvb] f:\fckyou2\system32\scbemrb.exe
O4 - HKCU\..\Run: [ClamWin] F:\Program Files\ClamWin\bin\ClamTray.exe --logon
O4 - HKCU\..\Run: [Gaim] F:\Program Files\Gaim\gaim.exe
O4 - HKCU\..\Run: [HijackThis startup scan] F:\Documents and Settings\Shenzie\Desktop\hijackthis\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [CMAPP] "F:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - Startup: IconPackager.lnk.disabled
O4 - Global Startup: Microtek Scanner Finder.lnk = F:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with &Shareaza - res://F:\Program Files\Shareaza\Plugins\RazaWebHook.dll/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - F:\Program Files\CMAPP\Client\cmappmf.dll
O20 - Winlogon Notify: reset5 - F:\FCKYOU2\SYSTEM32\reset5.dll
O23 - Service: LogServerShell - Unknown owner - F:\Program Files\Entropia\Entropia Client\Bin\LogServerShell.exe (file missing)
O23 - Service: Reset 5 - Unknown owner - F:\FCKYOU2\system32\srvany.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - F:\FCKYOU2\svcproc.exe
O23 - Service: TaskManagerShell - Unknown owner - F:\Program Files\Entropia\Entropia Client\Bin\TaskManagerShell.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - F:\FCKYOU2\yodrxoi.exe
O23 - Service: Windows VisFx Components - Unknown owner - F:\FCKYOU2\aqlvsvc.exe

This post has been edited by shenzie2007: Aug 24 2005, 06:45 AM

Heya and Welcome to Geeks to Go, shenzie2007, my name is Guse and I'll be helping you on this one.

That an... err... interesting Windows directory name. It was totally throwing me off at first, what with necessary files not "being where they should be". But trust me, I understand the frustration.

You've got a pretty serious infection here, that we're going to try to take step by step.

Please download ewido security suite it is a free version of the program.

1. Install ewido security suite
2. When installing, under "Additional Options" uncheck..
   • Install background guard
   • Install scan via context menu
3. Launch ewido, there should be an icon on your desktop, double-click it.
4. The program will now open to the main screen.
5. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
   
6. You will need to update ewido to the latest definition files.
   • On the left hand side of the main screen click update.
   • Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed.
   (the status bar at the bottom will display ("Update successful")
8. Exit ewido. DO NOT scan yet.

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Download CleanUp
Install the program, dont run it yet, we will later.

Please download this file: Nailfix Utility
Save it to your desktop.
DO NOT run it yet.

Download dsrfix.zip
Save it to your desktop.

• Unzip dsrfix.zip and extract it to your desktop.
• This will create a new folder on your desktop named dsrfix.
• Do Not open that folder yet.

Please download APT and unzip the contents to a new folder on your desktop.

• Open the folder you just created and click on apt.exe and search in the window for F:\FCKYOU2\aqlvsvc.exe.
• Open your C:\Windows\system32 folder and search for aqlvsvc.exe.
  Don't delete it yet, just leave the system32 folder open so you can see the bad file.
• In APT again, Select F:\FCKYOU2\aqlvsvc.exe and Click Kill3
  
• Then immediately delete aqlvsvc.exe from your system32 folder.

Close APT.

To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft:

Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, start tapping press F8 key.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Now open ewido and do a scan of your system.

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Now scan with HJT and place a checkmark next to each of the following items:

F2 - REG:system.ini: Shell=Explorer.exe F:\FCKYOU2\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - F:\FCKYOU2\dsr.dll
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - F:\FCKYOU2\AuroraHandler.dll
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - (no file)
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - F:\FCKYOU2\System32\vtduccli.dll
O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - F:\FCKYOU2\System32\dsktrf.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - F:\FCKYOU2\System32\richedtr.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [richup] F:\FCKYOU2\System32\richup.exe
O4 - HKLM\..\Run: [lanbrup] F:\FCKYOU2\System32\lanbrup.exe
O4 - HKLM\..\Run: [2p1ebr65] F:\FCKYOU2\System32\2p1ebr65.exe
O4 - HKLM\..\Run: [Dinst] F:\FCKYOU2\dinst.exe
O4 - HKLM\..\Run: [aqlvenc] F:\FCKYOU2\aqlvenc.EXE
O4 - HKLM\..\Run: [byxeipa] F:\FCKYOU2\byxeipa.EXE
O4 - HKLM\..\Run: [juprvb] f:\fckyou2\system32\scbemrb.exe
O4 - HKCU\..\Run: [CMAPP] "F:\Program Files\CMAPP\Client\cmappclient.exe"

Close all open windows except for HJT, then click the Fix Checked button. Close HJT.

Now open the folder dsrfix on your desktop.

• Double-Click on dsrfix.bat
• A window will pop up briefly then close, this is normal.

Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp

• Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
• When CleanUp starts go to the Options button (right side of CleanUp screen)
• Move the arrow down to "Custom CleanUp!"
• Now place a checkmark next to the following (Make sure nothing else is checked!):
  • Delete Cookies
    This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
  • Empty Recycle Bins
  • Delete Prefetch files
  • Cleanup! All Users
• Click OK
• Then click on the CleanUp button. This will take a short while, let it do its thing.
• When asked to reboot system select No
• Close CleanUp

Finally, restart your computer back into Normal Mode and please post a new HJT log, as well as the ewido report log from the Ewido scan by using Add Reply

This post has been edited by Guse: Aug 24 2005, 01:59 PM

Okay. I did what you said. At first I tried to do the stuff in Safe Mode without the instructions in front of me, which proved to be a mistake. I forgot what to do after the Ewido scan. I restarted in Normal mode, saved your instructions to a html file on my desktop and started over from the Ewido scan. The result of this is that I have two Ewido logs.
Anyway, here's the logs, of the HJT and the Ewido. The first Ewido log is dated wrong, due to my having the wrong time/date on my comp.

Logfile of HijackThis v1.99.1
Scan saved at 11:36:12 PM, on 8/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\FCKYOU2\System32\smss.exe
F:\FCKYOU2\system32\winlogon.exe
F:\FCKYOU2\system32\services.exe
F:\FCKYOU2\system32\lsass.exe
F:\FCKYOU2\system32\svchost.exe
F:\FCKYOU2\System32\svchost.exe
F:\FCKYOU2\system32\spoolsv.exe
F:\FCKYOU2\system32\cisvc.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\FCKYOU2\system32\srvany.exe
F:\FCKYOU2\System32\svchost.exe
F:\FCKYOU2\yodrxoi.exe
F:\FCKYOU2\system32\resetservice.exe
F:\FCKYOU2\aqlvsvc.exe
F:\FCKYOU2\Explorer.EXE
F:\Program Files\ClamWin\bin\ClamTray.exe
F:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
F:\FCKYOU2\TPPALDR.EXE
F:\FCKYOU2\byxeipa.exe
F:\FCKYOU2\vodkenc.exe
F:\Program Files\ClamWin\bin\ClamTray.exe
F:\Program Files\Gaim\gaim.exe
F:\Documents and Settings\Shenzie\Desktop\hijackthis\HijackThis.exe
F:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = E:\\FCKYOU2\SYSTEM32\BLANK.HTM
F2 - REG:system.ini: UserInit=F:\FCKYOU2\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - F:\Program Files\Shareaza\Plugins\RazaWebHook.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - F:\FCKYOU2\System32\vtduccli.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Entropia Client] F:\Program Files\Entropia\Entropia Client\bin\Launcher.exe -Startup
O4 - HKLM\..\Run: [Babylon Client] F:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [ClamWin] "F:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [DXDllRegExe] F:\FCKYOU2\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
O4 - HKLM\..\Run: [TPP Auto Loader] F:\FCKYOU2\TPPALDR.EXE
O4 - HKLM\..\Run: [Sysnet] F:\DOCUME~1\Shenzie\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [byxeipa] F:\FCKYOU2\byxeipa.EXE
O4 - HKLM\..\Run: [vodkenc] F:\FCKYOU2\vodkenc.EXE
O4 - HKCU\..\Run: [ClamWin] F:\Program Files\ClamWin\bin\ClamTray.exe --logon
O4 - HKCU\..\Run: [Gaim] F:\Program Files\Gaim\gaim.exe
O4 - HKCU\..\Run: [HijackThis startup scan] F:\Documents and Settings\Shenzie\Desktop\hijackthis\HijackThis.exe /startupscan
O4 - Startup: IconPackager.lnk.disabled
O4 - Global Startup: Microtek Scanner Finder.lnk = F:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with &Shareaza - res://F:\Program Files\Shareaza\Plugins\RazaWebHook.dll/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - F:\Program Files\CMAPP\Client\cmappmf.dll
O20 - Winlogon Notify: reset5 - F:\FCKYOU2\SYSTEM32\reset5.dll
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LogServerShell - Unknown owner - F:\Program Files\Entropia\Entropia Client\Bin\LogServerShell.exe (file missing)
O23 - Service: Reset 5 - Unknown owner - F:\FCKYOU2\system32\srvany.exe
O23 - Service: TaskManagerShell - Unknown owner - F:\Program Files\Entropia\Entropia Client\Bin\TaskManagerShell.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - F:\FCKYOU2\yodrxoi.exe
O23 - Service: Windows VisFx Components - Unknown owner - F:\FCKYOU2\aqlvsvc.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:39:44 PM, 8/28/2005
+ Report-Checksum: A79521A0

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{6024FCD5-91FC-4DC7-8481-63EABD5051D8} -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{E4776F3A-6936-4A9C-B2DA-E57C239FD2F8} -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{FF81672F-13FF-401F-8662-6E895C564CC4} -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Classes\dsktrf.amo -> Spyware.DesktopTraffic : Cleaned without backup
HKLM\SOFTWARE\Classes\dsktrf.amo\CLSID -> Spyware.DesktopTraffic : Cleaned without backup
HKLM\SOFTWARE\Classes\dsktrf.amo\CurVer -> Spyware.DesktopTraffic : Cleaned without backup
HKLM\SOFTWARE\Classes\dsktrf.iiittt -> Spyware.DesktopTraffic : Cleaned without backup
HKLM\SOFTWARE\Classes\dsktrf.iiittt\CLSID -> Spyware.DesktopTraffic : Cleaned without backup
HKLM\SOFTWARE\Classes\dsktrf.iiittt\CurVer -> Spyware.DesktopTraffic : Cleaned without backup
HKLM\SOFTWARE\Classes\dsktrf.momo -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Classes\dsktrf.momo\CLSID -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Classes\dsktrf.momo\CurVer -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Classes\dsktrf.ohb -> Spyware.DesktopTraffic : Cleaned without backup
HKLM\SOFTWARE\Classes\dsktrf.ohb\CLSID -> Spyware.DesktopTraffic : Cleaned without backup
HKLM\SOFTWARE\Classes\dsktrf.ohb\CurVer -> Spyware.DesktopTraffic : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CLSID -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CurVer -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CLSID -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CurVer -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CLSID -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CurVer -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CLSID -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CurVer -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{17973BD7-959C-4D8A-8B2F-AB200E20A75E} -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{42F58F60-9299-4564-9ABD-8E9324844560} -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{696D1AF8-D0FF-42FD-BD8D-D0B20D64F508} -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{6FE4AADF-EDAC-4037-9164-0B60179A4F12} -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{8FC08358-3634-44C7-A8F2-96DC7F39ACD2} -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{A797A41D-F9F0-4A32-B9B5-AF927CB5AE54} -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{B12508AD-CA55-4238-8DB3-55808BA6915A} -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{BF7CB2C3-55B6-44C1-9615-920D004C27F7} -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{DE53FA5D-11CC-4CB5-8D8E-EB5AA59C1E5A} -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{E38924F7-F290-4C13-BEEC-E8C587F58128} -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{F912C325-5B26-4AD6-BF39-84370833E972} -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{FA82A7EC-2AFC-4EE0-8F83-3229F7C6437E} -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Classes\TypeLib\{64440E59-A0DD-421C-AA4B-268141D764BB} -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Classes\Wbho.Band -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\Wbho.Band\CLSID -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\Wbho.Band\CurVer -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D568F0F-8AC9-40AB-88B7-415134C78777} -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} -> Spyware.Begin2Search : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\70tovmto -> Spyware.SAHA : Cleaned without backup
HKLM\SOFTWARE\VGroup -> Spyware.SAHA : Cleaned without backup
HKLM\SOFTWARE\VGroup\SAHPopup -> Spyware.SAHA : Cleaned without backup
HKU\S-1-5-21-1547161642-1644491937-682003330-1004\Software\aaa_soft -> Spyware.Begin2Search : Cleaned without backup
HKU\S-1-5-21-1547161642-1644491937-682003330-1004\Software\aaa_soft\kkkk -> Spyware.Begin2Search : Cleaned without backup
HKU\S-1-5-21-1547161642-1644491937-682003330-1004\Software\aaa_soft\pppp -> Spyware.Begin2Search : Cleaned without backup
HKU\S-1-5-21-1547161642-1644491937-682003330-1004\Software\aaa_soft\ssss -> Spyware.Begin2Search : Cleaned without backup
HKU\S-1-5-21-1547161642-1644491937-682003330-1004\Software\drelkge789AEF5 -> Spyware.DesktopTraffic : Cleaned without backup
HKU\S-1-5-21-1547161642-1644491937-682003330-1004\Software\drelkge789AEF5\eeennn -> Spyware.DesktopTraffic : Cleaned without backup
HKU\S-1-5-21-1547161642-1644491937-682003330-1004\Software\drelkge789AEF5\kkws -> Spyware.DesktopTraffic : Cleaned without backup
HKU\S-1-5-21-1547161642-1644491937-682003330-1004\Software\drelkge789AEF5\ppops -> Spyware.DesktopTraffic : Cleaned without backup
HKU\S-1-5-21-1547161642-1644491937-682003330-1004\Software\drelkge789AEF5\reel -> Spyware.DesktopTraffic : Cleaned without backup
HKU\S-1-5-21-1547161642-1644491937-682003330-1004\Software\drelkge789AEF5\ssites -> Spyware.DesktopTraffic : Cleaned without backup
HKU\S-1-5-21-1547161642-1644491937-682003330-1004\Software\_dsktptr -> Spyware.DesktopTraffic : Cleaned without backup
HKU\S-1-5-21-1547161642-1644491937-682003330-1004\Software\_dsktptr\ppops -> Spyware.DesktopTraffic : Cleaned without backup
HKU\S-1-5-21-1547161642-1644491937-682003330-1004\Software\_dsktptr\ssites -> Spyware.DesktopTraffic : Cleaned without backup
F:\FCKYOU2\5k7s3b9s.exe -> Adware.SAHA : Cleaned without backup
F:\FCKYOU2\70tovmto.exe -> Adware.SAHA : Cleaned without backup
F:\FCKYOU2\aqlvenc.exe -> Spyware.Hijacker.Generic : Cleaned without backup
F:\FCKYOU2\AuroraHandler.dll -> Adware.BetterInternet : Cleaned without backup
F:\FCKYOU2\dinst.exe -> TrojanDownloader.Intexp.d : Cleaned without backup
F:\FCKYOU2\dsr.dll -> Spyware.Hijacker.Generic : Cleaned without backup
F:\FCKYOU2\dsr.exe -> Trojan.Imiserv.c : Cleaned without backup
F:\FCKYOU2\hjvusvc.exe -> TrojanDropper.Agent.mu : Cleaned without backup
F:\FCKYOU2\ijelgmdim.exe -> Adware.BetterInternet : Cleaned without backup
F:\FCKYOU2\system32\2p1ebr65.exe -> Adware.Saha : Cleaned without backup
F:\FCKYOU2\system32\ap9h4qmo.exe -> Adware.SAHA : Cleaned without backup
F:\FCKYOU2\system32\l62gjp87.exe -> Adware.SAHA : Cleaned without backup
F:\FCKYOU2\system32\lanbrup.exe -> Spyware.SafeSurfing : Cleaned without backup
F:\FCKYOU2\system32\lkir8l2gm.dll -> Adware.SAHA : Cleaned without backup
F:\FCKYOU2\system32\nsh2.dll -> Spyware.Beginto : Cleaned without backup
F:\FCKYOU2\system32\nsi2C3.dll -> Spyware.Beginto : Cleaned without backup
F:\FCKYOU2\system32\nskA4.dll -> Spyware.Beginto : Cleaned without backup
F:\FCKYOU2\system32\nsv2.dll -> Spyware.Beginto : Cleaned without backup
F:\FCKYOU2\system32\nsx2.dll -> Spyware.Beginto : Cleaned without backup
F:\FCKYOU2\system32\o4ps3dv9.dll -> Adware.SAHA : Cleaned without backup
F:\FCKYOU2\system32\q17i9a4j.exe -> Adware.SAHA : Cleaned without backup
F:\FCKYOU2\system32\qh4mkbv9.dll -> Adware.SAHA : Cleaned without backup
F:\FCKYOU2\system32\redtrsha.dll -> Spyware.SafeSurfing : Cleaned without backup
F:\FCKYOU2\system32\richup.exe -> Spyware.SafeSurfing : Cleaned without backup
F:\FCKYOU2\system32\rtneg3.dll -> Spyware.Beginto : Cleaned without backup
F:\FCKYOU2\system32\vtduccli.dll -> Spyware.SafeSurfing : Cleaned without backup
F:\FCKYOU2\System320nsz2FC0 -> Spyware.HotSearchBar : Cleaned without backup
F:\FCKYOU2\tdtb.exe -> Trojan.Imiserv.c : Cleaned without backup
F:\Documents and Settings\Shenzie\Cookies\shenzie@www.shopathomeselect[1].txt -> Spyware.Cookie.Shopathomeselect : Cleaned without backup


::Report End

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:24:30 PM, 8/24/2005
+ Report-Checksum: A471D3A0

+ Scan result:

:mozilla.15:F:\Documents and Settings\Anyone Else\Application Data\Mozilla\Profiles\default\cj0ig1ik.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned without backup
:mozilla.17:F:\Documents and Settings\Anyone Else\Application Data\Mozilla\Profiles\default\cj0ig1ik.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned without backup
:mozilla.22:F:\Documents and Settings\Anyone Else\Application Data\Mozilla\Profiles\default\cj0ig1ik.slt\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned without backup
:mozilla.30:F:\Documents and Settings\Anyone Else\Application Data\Mozilla\Profiles\default\cj0ig1ik.slt\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned without backup
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\092BCDEN\DrPMon[1].dll -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\.clamwin\quarantine\reg6523.exe -> Spyware.Beginto : Cleaned without backup
:mozilla.89:F:\Documents and Settings\Shenzie\Application Data\Mozilla\Profiles\default\frns20vm.slt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned without backup
:mozilla.6:F:\Documents and Settings\Shenzie\Application Data\Mozilla\Profiles\mdezh66g.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned without backup
:mozilla.7:F:\Documents and Settings\Shenzie\Application Data\Mozilla\Profiles\mdezh66g.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned without backup
:mozilla.8:F:\Documents and Settings\Shenzie\Application Data\Mozilla\Profiles\mdezh66g.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned without backup
:mozilla.9:F:\Documents and Settings\Shenzie\Application Data\Mozilla\Profiles\mdezh66g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.10:F:\Documents and Settings\Shenzie\Application Data\Mozilla\Profiles\mdezh66g.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.11:F:\Documents and Settings\Shenzie\Application Data\Mozilla\Profiles\mdezh66g.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned without backup
:mozilla.12:F:\Documents and Settings\Shenzie\Application Data\Mozilla\Profiles\mdezh66g.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned without backup
F:\Documents and Settings\Shenzie\Desktop\hijackthis\backups\backup-20050429-214757-745.dll -> Spyware.Beginto : Cleaned without backup
F:\Documents and Settings\Shenzie\Desktop\hijackthis\backups\backup-20050514-111619-779.dll -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\AEH\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\asfjkk32.tmp -> Spyware.SafeSurfing : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\ATW\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\BMI\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\BTW\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\BZP\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\CDH\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\CKY\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\CMI\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\CXO\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\DQE\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\DrTemp\wupdt.exe -> TrojanDownloader.Intexp.c : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\DUN\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\DUY\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\ELX\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\END\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\EWX\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\FNB\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\FNH\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\GEY\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\GIO\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\GRZ\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\GTL\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\GTY\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\GXD\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\HKE\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\HOJ\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\II512.tmp -> Spyware.Beginto.c : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\JAA\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\JAG\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\JHQ\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\labpengs.tmp -> Spyware.SafeSurfing : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\LVI\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\MKL\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\MZW\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\OHO\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\OLG\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\OUY\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\PAC\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\RKY\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\RMO\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\ROH\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\RVC\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\RXD\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\SDD\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\SDF\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\SMX\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\SZJ\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\TFA\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\THZ\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\VGX\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\VIF\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\VRO\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\VRV\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\WIF\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\WMB\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\WXQ\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\XMO\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\XQV\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\XSM\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\XZW\uacupg.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\YHK\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\YSQ\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\ZAE\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\ZAR\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Local Settings\Temp\ZNB\aurareco.exe -> Adware.BetterInternet : Cleaned without backup
F:\Documents and Settings\Shenzie\Shenzie\Cookies\shenzie@112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned without backup
F:\FCKYOU2\mwfpenc.exe -> Spyware.Hijacker.Generic : Cleaned without backup
F:\Program Files\CMAPP\Client\cmappclient.exe -> Spyware.CASClient : Cleaned without backup
F:\Program Files\CMAPP\Client\cmappmf.dll -> Spyware.CASClient : Cleaned without backup
H:\finished downloaded\Babylon 3.50b reg_crack.zip/FILE.VBS -> Worm.Gedza : Cleaned without backup


::Report End

Thanks for your help! I appreciate it.

Great job! Looks like we took care of a few infections there. We're not done yet, though...

I'd suggest saving these instructions to notepad or printing them out. It makes the whole process easier.

1. Click this link to be sure you can view hidden files.

2. Reboot into safe mode.

3. Go to Start->Run and type in services.msc and hit OK. Then look for Windows Overlay Components and double click on it. Click on the Stop button and under Startup type, choose Disabled.

4. Repeat the same thing for Windows VisFx Components

5. Now open and run Ewido:

• Click on scanner
• Click Complete System Scan and the scan will begin.
• During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
• When the scan is finished, look at the bottom of the screen and click the Save report button.
• Save the report to your desktop

Close Ewido

6. Close all browsers, windows and unneeded programs.

7. Open HijackThis and do a scan.

8. Place checks marks next to the following items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = E:\\FCKYOU2\SYSTEM32\BLANK.HTM
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - F:\FCKYOU2\System32\vtduccli.dll (file missing)
O4 - HKLM\..\Run: [byxeipa] F:\FCKYOU2\byxeipa.EXE
O4 - HKLM\..\Run: [vodkenc] F:\FCKYOU2\vodkenc.EXE
O23 - Service: Windows Overlay Components - Unknown owner - F:\FCKYOU2\yodrxoi.exe
O23 - Service: Windows VisFx Components - Unknown owner - F:\FCKYOU2\aqlvsvc.exe

Click Fix Checked

9. Using Windows Explorer, find and delete the following items:

F:\FCKYOU2\aqlvsvc.exe
F:\FCKYOU2\yodrxoi.exe
F:\FCKYOU2\vodkenc.EXE
F:\FCKYOU2\byxeipa.EXE

10. Now, let's remove some bad services:

• Open HiJackThis
• Click on the configure button on the bottom right
• Click on the tab "Misc Tools"
• click on "delete an NT service"
• Copy and paste this in the box: Windows Overlay Components
• Click "ok", then reboot

• Open HiJackThis
• Click on the configure button on the bottom right
• Click on the tab "Misc Tools"
• click on "delete an NT service"
• Copy and paste this in the box: Windows VisFx Components
• Click "ok", then reboot

Reboot into Normal Mode.

Post back here with both the Ewido scan log (the newest only) and a new HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 10:07:32 PM, on 8/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\FCKYOU2\System32\smss.exe
F:\FCKYOU2\system32\winlogon.exe
F:\FCKYOU2\system32\services.exe
F:\FCKYOU2\system32\lsass.exe
F:\FCKYOU2\system32\svchost.exe
F:\FCKYOU2\System32\svchost.exe
F:\FCKYOU2\system32\spoolsv.exe
F:\FCKYOU2\system32\cisvc.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\FCKYOU2\system32\srvany.exe
F:\FCKYOU2\System32\svchost.exe
F:\FCKYOU2\system32\resetservice.exe
F:\FCKYOU2\Explorer.EXE
F:\Program Files\ClamWin\bin\ClamTray.exe
F:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
F:\FCKYOU2\TPPALDR.EXE
F:\Program Files\Gaim\gaim.exe
F:\Documents and Settings\Shenzie\Desktop\hijackthis\HijackThis.exe
F:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

F2 - REG:system.ini: UserInit=F:\FCKYOU2\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - F:\Program Files\Shareaza\Plugins\RazaWebHook.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Entropia Client] F:\Program Files\Entropia\Entropia Client\bin\Launcher.exe -Startup
O4 - HKLM\..\Run: [Babylon Client] F:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [ClamWin] "F:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [DXDllRegExe] F:\FCKYOU2\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
O4 - HKLM\..\Run: [TPP Auto Loader] F:\FCKYOU2\TPPALDR.EXE
O4 - HKLM\..\Run: [Sysnet] F:\DOCUME~1\Shenzie\LOCALS~1\Temp\sysnet.exe
O4 - HKCU\..\Run: [ClamWin] F:\Program Files\ClamWin\bin\ClamTray.exe --logon
O4 - HKCU\..\Run: [Gaim] F:\Program Files\Gaim\gaim.exe
O4 - HKCU\..\Run: [HijackThis startup scan] F:\Documents and Settings\Shenzie\Desktop\hijackthis\HijackThis.exe /startupscan
O4 - Startup: IconPackager.lnk.disabled
O4 - Global Startup: Microtek Scanner Finder.lnk = F:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with &Shareaza - res://F:\Program Files\Shareaza\Plugins\RazaWebHook.dll/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - F:\Program Files\CMAPP\Client\cmappmf.dll
O20 - Winlogon Notify: reset5 - F:\FCKYOU2\SYSTEM32\reset5.dll
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LogServerShell - Unknown owner - F:\Program Files\Entropia\Entropia Client\Bin\LogServerShell.exe (file missing)
O23 - Service: Reset 5 - Unknown owner - F:\FCKYOU2\system32\srvany.exe
O23 - Service: TaskManagerShell - Unknown owner - F:\Program Files\Entropia\Entropia Client\Bin\TaskManagerShell.exe (file missing)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:54:53 PM, 8/25/2005
+ Report-Checksum: A0D5606B

+ Scan result:

F:\FCKYOU2\vodkenc.exe -> Spyware.Hijacker.Generic : Cleaned without backup


::Report End

Am I clean yet? :)
Thanks again for your help.

We're really close.

I need to ask you a couple of questions first. Is this a work computer or a computer that intentionally has restrictions on the Control Panel, etc.?

Also, do you intentionally use Shareaza? If so, are you really addicted to it, because programs like Shareaza have been known to be bundled with spyware.

After you answer these questions I think we have 1 more go-around before you're clean.

It's a home computer but I don't think restrictions are supposed to be there. I did do some stuff to make Internet Explorer much safer (by basically trying to eliminate ALL of its abilities). I'm not addicted to Shareaza, and will remove it in that case.

Alright, open HijackThis, check the following entries:

O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - F:\Program Files\Shareaza\Plugins\RazaWebHook.dll
O4 - HKLM\..\Run: [Sysnet] F:\DOCUME~1\Shenzie\LOCALS~1\Temp\sysnet.exe

Close all other open windows and programs and click Fix Checked

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:
  Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information (along with another HijackThis log) in your next post.

Hopefully, this'll be the last of it.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, August 27, 2005 13:19:01
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 27/08/2005
Kaspersky Anti-Virus database records: 145893
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 97894
Number of viruses found: 35
Number of infected objects: 65
Number of suspicious objects: 0
Duration of the scan process: 5359 sec

Infected Object Name - Virus Name
C:\Program Files\asys\Stb.exe Infected: Trojan-Downloader.Win32.Agent.tf
C:\Program Files\asys\VFX60_nok.exe Infected: Trojan-Dropper.Win32.Agent.tb
F:\Documents and Settings\All Users\Desktop\nailfix\Process.exe Infected: not-a-virus:RiskTool.Win32.Processor.20
F:\Documents and Settings\Shenzie\.clamwin\quarantine\desktrf-cat_b2s.exe/data0002 Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.b
F:\Documents and Settings\Shenzie\.clamwin\quarantine\desktrf-cat_b2s.exe Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.b
F:\Documents and Settings\Shenzie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-482d1346.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
F:\Documents and Settings\Shenzie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-482d1346.zip Infected: Trojan-Downloader.Java.OpenStream.w
F:\Documents and Settings\Shenzie\Desktop\hijackthis\backups\backup-20050824-232845-983.dll Infected: not-a-virus:AdWare.SafeSurfing.m
F:\FCKYOU2\qqdtxnu.exe Infected: not-a-virus:AdWare.BetterInternet.r
F:\FCKYOU2\svbmfzq.exe Infected: Trojan-Dropper.Win32.Agent.tb
F:\FCKYOU2\system32\5k7s3b9s.ini Infected: not-a-virus:AdWare.Sahat.ao
F:\FCKYOU2\system32\70tovmto.ini Infected: not-a-virus:AdWare.Sahat.ao
F:\FCKYOU2\system32\ap9h4qmo.ini Infected: not-a-virus:AdWare.Sahat.ao
F:\FCKYOU2\system32\dsktrf.dll Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.b
F:\FCKYOU2\system32\InstallerV4.exe/data0001 Infected: not-a-virus:AdWare.SafeSurfing.o
F:\FCKYOU2\system32\InstallerV4.exe Infected: not-a-virus:AdWare.SafeSurfing.o
F:\FCKYOU2\system32\lanbruns.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.i
F:\FCKYOU2\system32\lanbruns.exe Infected: Trojan-Downloader.NSIS.Agent.i
F:\FCKYOU2\system32\wirelanb.dll Infected: not-a-virus:AdWare.SafeSurfing.q
F:\Program Files\CMAPP\cmappstub.exe Infected: Trojan-Downloader.Win32.Agent.tf
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009511.exe Infected: not-a-virus:AdWare.BetterInternet.r
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009513.exe Infected: not-a-virus:AdWare.BetterInternet.r
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009515.exe Infected: Trojan.Win32.Agent.cp
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009522.exe Infected: not-a-virus:AdWare.BetterInternet.r
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009524.dll Infected: Trojan.Win32.Agent.db
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009525.exe Infected: not-a-virus:AdWare.Sahat.ah
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009526.exe Infected: not-a-virus:AdWare.Sahat.o
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009527.exe Infected: Trojan-AOL.Win32.VB.gn
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009528.dll Infected: not-a-virus:AdWare.BetterInternet.h
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009529.exe Infected: Trojan-Downloader.Win32.Intexp.d
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009530.dll Infected: not-a-virus:AdWare.ToolBar.ImiBar.h
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009531.exe/dsr.dll Infected: not-a-virus:AdWare.ToolBar.ImiBar.h
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009531.exe Infected: not-a-virus:AdWare.ToolBar.ImiBar.h
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009532.exe Infected: Trojan-Dropper.Win32.Agent.mu
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009533.exe Infected: not-a-virus:AdWare.BetterInternet
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009534.exe Infected: not-a-virus:AdWare.Sahat.ai
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009535.exe Infected: not-a-virus:AdWare.Sahat.o
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009536.exe Infected: not-a-virus:AdWare.Sahat.f
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009537.exe Infected: not-a-virus:AdWare.SafeSurfing.n
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009538.dll Infected: not-a-virus:AdWare.Sahat.l
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009539.dll Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.e
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009540.dll Infected: not-a-virus:AdWare.Beginto.c
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009541.dll Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.e
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009542.dll Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.e
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009543.dll Infected: not-a-virus:AdWare.Beginto.c
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009544.dll Infected: not-a-virus:AdWare.Sahat.ad
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009545.exe Infected: not-a-virus:AdWare.Sahat.o
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009546.dll Infected: not-a-virus:AdWare.Sahat.l
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009547.dll Infected: not-a-virus:AdWare.SafeSurfing.j
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009548.exe Infected: not-a-virus:AdWare.SafeSurfing.i
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009549.dll Infected: not-a-virus:AdWare.Beginto.c
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009550.dll Infected: not-a-virus:AdWare.SafeSurfing.p
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009551.exe/systb.dll Infected: not-a-virus:AdWare.ToolBar.ImiBar.d
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009551.exe Infected: not-a-virus:AdWare.ToolBar.ImiBar.d
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009567.exe Infected: not-a-virus:AdWare.Beginto.a
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009568.dll Infected: not-a-virus:AdWare.Beginto.c
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009569.dll Infected: not-a-virus:AdWare.BetterInternet
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009570.exe Infected: Trojan-AOL.Win32.VB.gn
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009571.exe Infected: not-a-virus:AdWare.CASClient.a
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009572.dll Infected: not-a-virus:AdWare.CASClient.a
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP79\A0009573.dll Infected: not-a-virus:AdWare.SafeSurfing.m
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP80\A0009594.exe Infected: Trojan-AOL.Win32.VB.gn
F:\System Volume Information\_restore{10D5F83F-509C-42CF-8FC2-DAF7F946C974}\RP80\A0009596.exe Infected: Trojan-Dropper.Win32.Agent.tb
H:\finished downloaded\programs\mirc614.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.614
H:\finished downloaded\programs\mirc614.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614

Scan process completed.



Logfile of HijackThis v1.99.1
Scan saved at 1:19:17 PM, on 8/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\FCKYOU2\System32\smss.exe
F:\FCKYOU2\system32\winlogon.exe
F:\FCKYOU2\system32\services.exe
F:\FCKYOU2\system32\lsass.exe
F:\FCKYOU2\system32\svchost.exe
F:\FCKYOU2\System32\svchost.exe
F:\FCKYOU2\system32\spoolsv.exe
F:\FCKYOU2\system32\cisvc.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\FCKYOU2\system32\srvany.exe
F:\FCKYOU2\System32\svchost.exe
F:\FCKYOU2\system32\resetservice.exe
F:\FCKYOU2\Explorer.EXE
F:\Program Files\ClamWin\bin\ClamTray.exe
F:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
F:\FCKYOU2\TPPALDR.EXE
F:\Documents and Settings\Shenzie\Desktop\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=F:\FCKYOU2\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Entropia Client] F:\Program Files\Entropia\Entropia Client\bin\Launcher.exe -Startup
O4 - HKLM\..\Run: [Babylon Client] F:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [ClamWin] "F:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [DXDllRegExe] F:\FCKYOU2\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
O4 - HKLM\..\Run: [TPP Auto Loader] F:\FCKYOU2\TPPALDR.EXE
O4 - HKCU\..\Run: [ClamWin] F:\Program Files\ClamWin\bin\ClamTray.exe --logon
O4 - HKCU\..\Run: [Gaim] F:\Program Files\Gaim\gaim.exe
O4 - HKCU\..\Run: [HijackThis startup scan] F:\Documents and Settings\Shenzie\Desktop\hijackthis\HijackThis.exe /startupscan
O4 - Startup: IconPackager.lnk.disabled
O4 - Global Startup: Microtek Scanner Finder.lnk = F:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with &Shareaza - res://F:\Program Files\Shareaza\Plugins\RazaWebHook.dll/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - F:\Program Files\CMAPP\Client\cmappmf.dll
O20 - Winlogon Notify: reset5 - F:\FCKYOU2\SYSTEM32\reset5.dll
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LogServerShell - Unknown owner - F:\Program Files\Entropia\Entropia Client\Bin\LogServerShell.exe (file missing)
O23 - Service: Reset 5 - Unknown owner - F:\FCKYOU2\system32\srvany.exe
O23 - Service: TaskManagerShell - Unknown owner - F:\Program Files\Entropia\Entropia Client\Bin\TaskManagerShell.exe (file missing)

Okay. That's way more stuff than I expected. O.o;

Wow. Glad I had you run that last scan.

Alright. We need to do something about that. I don't see a virus scanner, so let's download a good, free one.

Go to here and download the free version of AVG virus scanner by clicking Download AVG Trial.

Update the definitions by opening AVG and clicking Check for Updates and run a full system scan.

Post the results as a reply in this thread.

This post has been edited by Guse: Aug 27 2005, 04:52 PM

F:\Documents and Settings\Shenzie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-482d1346.zip:\javainstaller\InstallerApplet.class Virus identified Java/OpenStream Infected, Embedded object
F:\Documents and Settings\Shenzie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-482d1346.zip Virus identified Java/OpenStream Infected, Archive
C:\Program Files\asys\Stb.exe Deleted
F:\FCKYOU2\svbmfzq.exe Deleted
F:\Program Files\CMAPP\cmappstub.exe Deleted

Nice. Run me one more HijackThis log and we should be done.

Chances are good that if AVG doesn't find it, it ain't there.

Logfile of HijackThis v1.99.1
Scan saved at 10:46:21 AM, on 8/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\FCKYOU2\System32\smss.exe
F:\FCKYOU2\system32\winlogon.exe
F:\FCKYOU2\system32\services.exe
F:\FCKYOU2\system32\lsass.exe
F:\FCKYOU2\system32\svchost.exe
F:\FCKYOU2\System32\svchost.exe
F:\FCKYOU2\system32\spoolsv.exe
F:\FCKYOU2\Explorer.EXE
F:\Program Files\ClamWin\bin\ClamTray.exe
F:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
F:\FCKYOU2\TPPALDR.EXE
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\Program Files\Gaim\gaim.exe
F:\Documents and Settings\Shenzie\Desktop\hijackthis\HijackThis.exe
F:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\FCKYOU2\system32\cisvc.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\FCKYOU2\system32\srvany.exe
F:\FCKYOU2\System32\svchost.exe
F:\FCKYOU2\system32\resetservice.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\PROGRA~1\Grisoft\AVG7\avgw.exe

F2 - REG:system.ini: UserInit=F:\FCKYOU2\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Entropia Client] F:\Program Files\Entropia\Entropia Client\bin\Launcher.exe -Startup
O4 - HKLM\..\Run: [Babylon Client] F:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [ClamWin] "F:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [DXDllRegExe] F:\FCKYOU2\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
O4 - HKLM\..\Run: [TPP Auto Loader] F:\FCKYOU2\TPPALDR.EXE
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [ClamWin] F:\Program Files\ClamWin\bin\ClamTray.exe --logon
O4 - HKCU\..\Run: [Gaim] F:\Program Files\Gaim\gaim.exe
O4 - HKCU\..\Run: [HijackThis startup scan] F:\Documents and Settings\Shenzie\Desktop\hijackthis\HijackThis.exe /startupscan
O4 - Startup: IconPackager.lnk.disabled
O4 - Global Startup: Microtek Scanner Finder.lnk = F:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with &Shareaza - res://F:\Program Files\Shareaza\Plugins\RazaWebHook.dll/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - F:\Program Files\CMAPP\Client\cmappmf.dll
O20 - Winlogon Notify: reset5 - F:\FCKYOU2\SYSTEM32\reset5.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LogServerShell - Unknown owner - F:\Program Files\Entropia\Entropia Client\Bin\LogServerShell.exe (file missing)
O23 - Service: Reset 5 - Unknown owner - F:\FCKYOU2\system32\srvany.exe
O23 - Service: TaskManagerShell - Unknown owner - F:\Program Files\Entropia\Entropia Client\Bin\TaskManagerShell.exe (file missing)

Thanks so much!

Not done yet. You actually DID have a virus scanner, and I totally missed it. You can choose between AVG and ClamWin, just uninstall the one you don't want. Since AVG is a free/trial version, you may want to ditch that one.

Run HijackThis and place checks next to the following entries:

F2 - REG:system.ini: UserInit=F:\FCKYOU2\System32\Userinit.exe
O4 - HKCU\..\Run: [HijackThis startup scan] F:\Documents and Settings\Shenzie\Desktop\hijackthis\HijackThis.exe /startupscan
O8 - Extra context menu item: Download with &Shareaza - res://F:\Program Files\Shareaza\Plugins\RazaWebHook.dll/3000
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - F:\Program Files\CMAPP\Client\cmappmf.dll
O20 - Winlogon Notify: reset5 - F:\FCKYOU2\SYSTEM32\reset5.dll

Close all other windows and click Fix This.

Also, did you remove a program called "Entropia" lately? If so, there's some cleanup we can do.

Regardless, there's 1 trojan hanging on that I'm trying to get rid of.

Go to Start -> Run and type in "services.msc" (no quotes) and double click on the following service:

Reset 5

In the window that pops up, click the Stop button and then change the startup type to "Disabled".

• Open HijackThis.
• Click the Config button.
• Click the Misc Tools button.
• Select Delete an NT service.
• Copy and paste the following into the box:
  Reset 5
• Click Ok.

Then, using Windows Explorer, navigate to, find and delete the following file:

F:\FCKYOU2\system32\srvany.exe

When all this is done, run me another HijackThis log and post it here. Sorry it's taking so long, and the majority of the log is clean.

>Sorry it's taking so long
No problem. Thank you for helping me!

About Entropia... it's the name of a program also called Fight Aids @ Home, which I installed a year or two ago. It's no longer operating. I just now uninstalled it when you mentioned it.

Here's a HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:46:40 AM, on 8/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\FCKYOU2\System32\smss.exe
F:\FCKYOU2\system32\winlogon.exe
F:\FCKYOU2\system32\services.exe
F:\FCKYOU2\system32\lsass.exe
F:\FCKYOU2\system32\svchost.exe
F:\FCKYOU2\System32\svchost.exe
F:\FCKYOU2\system32\spoolsv.exe
F:\FCKYOU2\Explorer.EXE
F:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
F:\FCKYOU2\TPPALDR.EXE
F:\Program Files\ClamWin\bin\ClamTray.exe
F:\Program Files\Gaim\gaim.exe
F:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
F:\FCKYOU2\system32\cisvc.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\FCKYOU2\System32\svchost.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Winamp\winamp.exe
F:\Documents and Settings\Shenzie\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Babylon Client] F:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [ClamWin] "F:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [DXDllRegExe] F:\FCKYOU2\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
O4 - HKLM\..\Run: [TPP Auto Loader] F:\FCKYOU2\TPPALDR.EXE
O4 - HKCU\..\Run: [ClamWin] F:\Program Files\ClamWin\bin\ClamTray.exe --logon
O4 - HKCU\..\Run: [Gaim] F:\Program Files\Gaim\gaim.exe
O4 - HKCU\..\Run: [HijackThis startup scan] F:\Documents and Settings\Shenzie\Desktop\hijackthis\HijackThis.exe /startupscan
O4 - Startup: IconPackager.lnk.disabled
O4 - Global Startup: Microtek Scanner Finder.lnk = F:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://f:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with &Shareaza - res://F:\Program Files\Shareaza\Plugins\RazaWebHook.dll/3000
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://f:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - F:\Program Files\CMAPP\Client\cmappmf.dll
O20 - Winlogon Notify: reset5 - F:\FCKYOU2\SYSTEM32\reset5.dll
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LogServerShell - Unknown owner - F:\Program Files\Entropia\Entropia Client\Bin\LogServerShell.exe (file missing)
O23 - Service: TaskManagerShell - Unknown owner - F:\Program Files\Entropia\Entropia Client\Bin\TaskManagerShell.exe (file missing)