Booted into safe mode
Ran nailfix
Ran Edwido Security Suite
Ran Hijack this
I am going to attach the log file from Edwido and Hijack. I will leave that pc in safe mode until I hear back.
Can anyone give me a clue on the next step??!?!?!
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 3:36:26 PM, 5/16/2005
+ Report-Checksum: 3450B468
+ Date of database: 5/16/2005
+ Version of scan engine: v3.0
+ Duration: 66 min
+ Scanned Files: 69833
+ Speed: 17.37 Files/Second
+ Infected files: 50
+ Removed files: 50
+ Files put in quarantine: 50
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\Documents and Settings\rphillips\Cookies\rphillips@5560198[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@62968629[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@88244075[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@asp[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@dcsp4kqizoifwzba77gm9fqc9_3w1v[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@S130376[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@S139288[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@S148884[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@S149247[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\rphillips@S151261[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\rphillips\Local Settings\Temp\pcs_0002.exe -> Spyware.Pacer.b -> Cleaned with backup
C:\Documents and Settings\rphillips\Local Settings\Temporary Internet Files\Content.IE5\4P0N0PCN\aurora[1].exe -> Spyware.BetterInternet.c -> Cleaned with backup
C:\Documents and Settings\rphillips\Local Settings\Temporary Internet Files\Content.IE5\4P0N0PCN\protector[1].exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\Documents and Settings\rphillips\Local Settings\Temporary Internet Files\Content.IE5\4P0N0PCN\version[1].exe -> Spyware.DealHelper.ac -> Cleaned with backup
C:\Documents and Settings\rphillips\Local Settings\Temporary Internet Files\Content.IE5\8X69QZY7\svcproc[1].exe -> Trojan.Stervis.c -> Cleaned with backup
C:\Documents and Settings\rphillips\Local Settings\Temporary Internet Files\Content.IE5\GVKNAD8N\DrPMon[1].dll -> Trojan.Agent.db -> Cleaned with backup
C:\Documents and Settings\rphillips\Local Settings\Temporary Internet Files\Content.IE5\MJ83IZ6H\downloaddll[1].htm -> Spyware.DealHelper.ab -> Cleaned with backup
C:\Documents and Settings\rphillips\Local Settings\Temporary Internet Files\Content.IE5\O12741YB\download[1].htm -> Trojan.Popmon.a -> Cleaned with backup
C:\Documents and Settings\rphillips\Local Settings\Temporary Internet Files\Content.IE5\O12741YB\Nail[1].exe -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\0499DA92-D976-46F8-8544-1FC1E8\1D3C792F-A402-47B5-AB19-E3B39C -> TrojanDownloader.Small.abd -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\0499DA92-D976-46F8-8544-1FC1E8\F8151747-48E6-4ACF-99BC-220F4D -> TrojanDownloader.Small.abd -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\11461759-7E57-4C62-AEC8-67B968\2CD09C46-1FCE-4DEA-A911-107850 -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\11461759-7E57-4C62-AEC8-67B968\A4C20011-6D4B-4B18-B340-892B94 -> Spyware.BargainBuddy -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\11461759-7E57-4C62-AEC8-67B968\B029CFEC-699E-453B-A6A3-42E968 -> Spyware.BargainBuddy.i -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\5F3F8AC9-8DFA-4441-8D16-A7F574\FD2C0251-EE3B-4777-8459-975C96 -> Spyware.CashBack.d -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\62D43DE2-B6BB-4323-842C-476948\57D72C68-E5E0-4BCD-8EEC-AA0443 -> TrojanDownloader.VB.eu -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7314B371-3F5C-4C94-BA78-28A18B\00F3923E-755E-4479-85E3-910983 -> Spyware.VirtualBouncer.i -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7314B371-3F5C-4C94-BA78-28A18B\125CED53-B1B2-4BFC-AD96-D0CB5F -> Spyware.VirtualBouncer.j -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7314B371-3F5C-4C94-BA78-28A18B\8A5F0AE6-6560-4A01-A621-0A37F2 -> Spyware.VirtualBouncer -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7314B371-3F5C-4C94-BA78-28A18B\F479B9BE-1EFD-451F-B546-725182 -> Spyware.VirtualBouncer.j -> Cleaned with backup
C:\WINDOWS\delcvwmongt.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ieatgpc.dll -> Spyware.WebEx -> Cleaned with backup
C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll -> Spyware.EliteBar.z -> Cleaned with backup
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll -> Spyware.EliteBar.af -> Cleaned with backup
C:\WINDOWS\system32\bngkox.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\eliteslj32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\elitewgf32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\elitexie32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\ps1.exe -> Spyware.Pacer.a -> Cleaned with backup
C:\WINDOWS\system32\psis80ex.ax/C:/WINDOWS/System32/mscb.dll -> Spyware.BargainBuddy.i -> Cleaned with backup
C:\WINDOWS\system32\psis80ex.ax/C:/Program Files/CashBack/bin/cb.exe -> Spyware.CashBack.b -> Cleaned with backup
C:\WINDOWS\system32\psis80ex.ax/C:/Program Files/CashBack/bin/flash.exe -> Spyware.CashBack.d -> Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 3:37:43 PM, on 5/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\rphillips\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [TLogonPath] "c:\program files\timbuktu pro\tb2logon.exe"
O4 - HKLM\..\Run: [InterBase Server] C:\Program Files\InterBase Corp\InterBase\bin\ibserver.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vp6O33T] dpchlp32.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://spsi.webex.c...bex/ieatgpc.cab
O16 - DPF: {F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C} (WebReportSource Class) - http://64.251.13.37/...tivexviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = conco.lan
O17 - HKLM\Software\..\Telephony: DomainName = conco.lan
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = conco.lan
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = conco.lan
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - c:\program files\timbuktu pro\tb2launch.exe