Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora[RESOLVED]


  • This topic is locked This topic is locked

#1
Tornado

Tornado

    New Member

  • Member
  • Pip
  • 8 posts
Hello all,

I noticed I had the Aurora stuff on my machine so I ran through a few different things to remove it, but there appears to still be some pieces of it. I went to ActiveScan and started with 17 probs, but I now have it down to two. I would appreciate some help getting the remaining unwanted spyware off of my machine.

This is from ActiveScan:
Incident                      Status                        Location                                                                                                                                                                                                                                                        

Adware:Adware/MyWay           No disinfected                C:\Program Files\MySearch                                                                                                                                                                                                                                       
Spyware:Spyware/ShopNav       No disinfected                Windows Registry

Hijack running in safe mode:
Logfile of HijackThis v1.99.1
Scan saved at 1:17:02 AM, on 5/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
D:\Tools\Spyware\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LtcyCfgApply] "C:\Program Files\LtcyCfg2-[guru3d]\LtcyCfg.exe" /a
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: MP3 - {1537E842-0000-11D2-8059-111111111111} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &WinMp3Locator - {1537E842-0000-11D2-8059-111111111111} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Files - {1537E842-0001-11D2-8059-111111111111} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FileLocator - {1537E842-0001-11D2-8059-111111111111} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15012/CTSUEng.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: DHzer0point NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Hijack running normal boot:
Logfile of HijackThis v1.99.1
Scan saved at 4:01:41 PM, on 5/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Tools\Spyware\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LtcyCfgApply] "C:\Program Files\LtcyCfg2-[guru3d]\LtcyCfg.exe" /a
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: MP3 - {1537E842-0000-11D2-8059-111111111111} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &WinMp3Locator - {1537E842-0000-11D2-8059-111111111111} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Files - {1537E842-0001-11D2-8059-111111111111} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FileLocator - {1537E842-0001-11D2-8059-111111111111} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15012/CTSUEng.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: DHzer0point NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

FindIt info:
Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 05/29/2005 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»» 
 
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
 
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»» 
 
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
 
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 
Dont delete file's in the section without guidance
If any doubt back them up first
 
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
 
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
»»»»» lagitamate file's can/will show in this section. 
 
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
 
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»» 
 
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 
 
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
 
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder. 
 
 Volume in drive C is OS
 Volume Serial Number is 8020-AAD5

 Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
 Volume in drive C is OS
 Volume Serial Number is 8020-AAD5

 Directory of C:\WINDOWS\system32

08/17/2001  01:42 PM             7,406 SBAudigy.ico
               1 File(s)          7,406 bytes
               0 Dir(s)   7,625,920,512 bytes free
 
»»»»»»»»»»»»»»»»»»»»»»»».
 
HKEY_CURRENT_USER\Software\aurora\AUI3d5OfSDist
HKEY_CURRENT_USER\Software\aurora\AUI3d5OfSInst
HKEY_CURRENT_USER\Software\aurora\AUC3n5trMsgSDisp
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky1S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky2S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky3S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky4S
HKEY_CURRENT_USER\Software\aurora\AUC1o3d5eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUT3i5m7eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUD3s5tSSEnd
HKEY_CURRENT_USER\Software\aurora\AU3N5a7tionSCode
HKEY_CURRENT_USER\Software\aurora\AUP3D5om
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSCheckSIn
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSMots
HKEY_CURRENT_USER\Software\aurora\AUM3o5deSSync
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSCab
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSEx
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSLstest
HKEY_CURRENT_USER\Software\aurora\AUB3D5om
HKEY_CURRENT_USER\Software\aurora\AUE3v5nt
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSBath
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSysSInf
HKEY_CURRENT_USER\Software\aurora\AUL3n5Title
HKEY_CURRENT_USER\Software\aurora\AUC3u5rrentSMode
HKEY_CURRENT_USER\Software\aurora\AUC3n5tFyl
HKEY_CURRENT_USER\Software\aurora\AUI3g5noreS
HKEY_CURRENT_USER\Software\aurora\AUL3a5stMotsSDay
HKEY_CURRENT_USER\Software\aurora\AUL3a5stSSChckin
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon\Driver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon\Driver

Ewido first run:
---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on: 	 1:03:02 AM, 5/29/2005
 + Report-Checksum:  F60353C6

 + Date of database:  5/28/2005
 + Version of scan engine:	v3.0

 + Duration:    34 min
 + Scanned Files: 	 151735
 + Speed:    73.73 Files/Second
 + Infected files: 	 14
 + Removed files: 	 13
 + Files put in quarantine:  13
 + Files that could not be opened:	0
 + Files that could not be cleaned:	1

 + Binder:  Yes
 + Crypter:  Yes
 + Archives:  Yes

 + Scanned items:
	C:\
	D:\

 + Scan result:
	C:\Documents and Settings\Jeff\Cookies\jeff@ads.addynamix[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
	C:\Documents and Settings\Jeff\Cookies\jeff@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
	C:\Documents and Settings\Jeff\Cookies\jeff@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
	C:\Documents and Settings\Jeff\Cookies\jeff@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
	C:\Program Files\Microsoft AntiSpyware\Quarantine\220CD213-F684-4CF6-9254-7DD4C5\382C51AA-D437-47E5-93B4-D3DFBB -> Trojan.Agent.db -> Cleaned with backup
	C:\WINDOWS\hfxnhhikn.exe -> Spyware.BetterInternet -> Cleaned with backup
	C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
	C:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Cleaned with backup
	C:\WINDOWS\systb.dll -> Spyware.ImiBar.d -> Error during cleaning
	C:\WINDOWS\system32\dliiik.exe -> Trojan.Agent.cp -> Cleaned with backup
	C:\WINDOWS\system32\qsnmck.exe -> Trojan.Agent.cp -> Cleaned with backup
	C:\WINDOWS\system32\__delete_on_reboot__DrPMon.dll -> Trojan.Agent.db -> Cleaned with backup
	C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
	C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup


::Report End

The below attached image is the remaining error I get after I logon. This started after I did a few things to remove the nail.exe file. (Using nailfix and did a fullremove after that in safe mode.)

Attached File  nail.bmp   231.05KB   75 downloads
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

I was wondering why this post was so big. Please don't post any other logs except for HijackThis, unless we ask for it. HijackThis should only be scanned in Normal Mode if you want us to analyze it.

Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. Do NOT run it yet.

Please download nailfix at http://www.noidea.us...050515010747824 Unzip it to the desktop but do NOT run it yet.

Download LSPFix http://www.greyknigh.../spy/LSPFix.exe and run it. Click on xfire_lsp_10650.dll on the left window and click on the arrow pointing to the right. Click Finish and follow the prompts.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, please double-click on nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next run a full scan in Ewido. Post the log from the Ewido scan here.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O9 - Extra button: MP3 - {1537E842-0000-11D2-8059-111111111111} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &WinMp3Locator - {1537E842-0000-11D2-8059-111111111111} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Files - {1537E842-0001-11D2-8059-111111111111} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FileLocator - {1537E842-0001-11D2-8059-111111111111} - C:\WINDOWS\System32\shdocvw.dll

O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing

Close all open windows except for HijackThis and click Fix Checked.

Uninstall these from Add/Remove panel if listed:

MyWay
ShopNAV


Delete these if found:

C:\WINDOWS\Nail.exe
c:\program files\myway\
C:\WINDOWS\systb.dll


Restart your computer in normal mode and post a new HijackThis log, as well as the log from the Ewido scan.

Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient ...
3. Then post the results here.
  • 0

#3
Tornado

Tornado

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Sorry for posting incorrectly. Here is my updated info after doing your fixes.

1) DL Ewido, install, update DB...Done
2) DL Nailfix...Done
3) DL LSPfix and run...Done (Removed xfire_lsp_10650.dll)
4) Booted into Safe Mode...Done
5) Run nailfix.cmd...Done
6) Run full scan in Ewido...Done

Ewido Log:

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on: 	 6:25:44 PM, 5/29/2005
 + Report-Checksum:  AD494AF3

 + Date of database:  5/29/2005
 + Version of scan engine:	v3.0

 + Duration:    59 min
 + Scanned Files: 	 155038
 + Speed:    43.09 Files/Second
 + Infected files: 	 7
 + Removed files: 	 7
 + Files put in quarantine:  7
 + Files that could not be opened:	0
 + Files that could not be cleaned:	0

 + Binder:  Yes
 + Crypter:  Yes
 + Archives:  Yes

 + Scanned items:
	C:\
	D:\

 + Scan result:
	C:\Documents and Settings\Jeff\Cookies\jeff@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
	C:\Documents and Settings\Jeff\Cookies\jeff@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
	C:\Documents and Settings\Jeff\Cookies\jeff@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
	C:\Documents and Settings\Jeff\Cookies\jeff@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
	C:\Documents and Settings\Jeff\Cookies\jeff@servedby.advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
	C:\Documents and Settings\Jeff\Cookies\jeff@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
	C:\Documents and Settings\Jeff\Cookies\jeff@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End

7) Run HijackThis scan, fix probs, save log...Done

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:31:40 PM, on 5/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
D:\Tools\Spyware\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LtcyCfgApply] "C:\Program Files\LtcyCfg2-[guru3d]\LtcyCfg.exe" /a
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15012/CTSUEng.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: DHzer0point NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[CODE]
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

8) Uninstall probs from Add/Remove...N/A - Neither were listed

Question here - I do have something I am unsure about listed. It is called The ABI Network - A Division of Direct Revenue. What do you recommend I do with this and what is it?

9) Delete if found...N/A - None of the three were found.

FYI - I did however find in the C:\Program Files directory a folder called MySearch. I went ahead and deleted it.

10) DL FindIt, unzip, and run...Done

FindIt Log:

Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 05/29/2005 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»» 
 
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
 
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»» 
 
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
 
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 
Dont delete file's in the section without guidance
If any doubt back them up first
 
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
 
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
»»»»» lagitamate file's can/will show in this section. 
 
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
 
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»» 
 
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 
 
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\JEFF\DESKTOP\FIND-IT'S\XFIND.COM
 
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder. 
 
 Volume in drive C is OS
 Volume Serial Number is 8020-AAD5

 Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
 Volume in drive C is OS
 Volume Serial Number is 8020-AAD5

 Directory of C:\WINDOWS\system32

08/17/2001  01:42 PM             7,406 SBAudigy.ico
               1 File(s)          7,406 bytes
               0 Dir(s)   7,509,520,384 bytes free
 
»»»»»»»»»»»»»»»»»»»»»»»».

  • 0

#4
Tornado

Tornado

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Recent ActiveScan stills turns this up also...

Incident                           Status                        Location                                             
Adware:Adware/MyWay           No disinfected                Windows Registry              

Edited by Tornado, 29 May 2005 - 05:41 PM.

  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Regarding The ABI Network - A Division of Direct Revenue, I can't find much information on it either. More often than not, it's bad, so my suggestion is to go ahead and uninstall it.

Just that MyWay entry left. It's very minor if anything. If you still wish to remove all remnants of it, then go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere just in case you make a mistake. Remember, whatever you do in the registry is LIVE - there is not save. What you edit will be saved accordingly as you edit it. So if you are unsure of anything, feel free to ask. OK, now go to Edit->Find and look for myway and remove all instances of it (just hit F3 key after you delete it - F3 will do a Find Next just in case MyWay is listed elsewhere in the registry).

Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#6
Tornado

Tornado

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
All is well. Thanks a bunch for your help. I will be running through my laptop next and posting more on that.

That ABI thing...I went to do the uninstall...it made me go here http://www.mypctuneup.com/ in order to remove it.

I have run through the registry already...not sure why it still turns up. Oh well...if it is only minor then I am not that concerned.
  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Shoot, why is it asking you to go to their site? I don't trust that site at all since they are the creators for the Aurora popups you have been getting. They also make their so-called "uninstallers" for Aurora, which I advise everyone not to use since they log your IP address and other things about your computer.

Is that ABI program still there now?
  • 0

#8
Tornado

Tornado

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Shoot, why is it asking you to go to their site?  I don't trust that site at all since they are the creators for the Aurora popups you have been getting.  They also make their so-called "uninstallers" for Aurora, which I advise everyone not to use since they log your IP address and other things about your computer.

Is that ABI program still there now?

View Post


It is gone now and I had to use the uninstaller to get it off. The remove button in add/remove programs was linked to an abiuninst.htm file. Even after I deleted it it still forced me to go to that site in order to remove it. I should have gotten some other software to get it off.
  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP