Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Final steps in getting rid of Aurora


  • This topic is locked This topic is locked

#1
jerodk1975

jerodk1975

    Member

  • Member
  • PipPip
  • 10 posts
:tazz:

I have already run ewido, spy-bot search and destroy, clean-up, and Ad-aware-se

I have also downloaded the Nailfix file (but haven't run it with Ewido). Now I just need someone to tell me what to do ;)

Thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 12:07:22 PM, on 6/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis-1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 218.44.214.123 www.paypal.com
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll (file missing)
O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [kozk] C:\PROGRA~1\COMMON~1\kozk\kozkm.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://bar.mywebsear...earch.html?p=ZU
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\gbnryxir.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - file://C:\install.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093227113483
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://moviefone.kon...ry/main/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{969B30B5-30DC-4E63-9E42-9DAF00214E2B}: NameServer = 199.72.1.1,199.72.1.6
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


Ewido Report

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:54:37 AM, 6/3/2005
+ Report-Checksum: 3B328794

+ Date of database: 6/3/2005
+ Version of scan engine: v3.0

+ Duration: 94 min
+ Scanned Files: 295142
+ Speed: 51.95 Files/Second
+ Infected files: 89
+ Removed files: 46
+ Files put in quarantine: 46
+ Files that could not be opened: 0
+ Files that could not be cleaned: 43

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
G:\
C:\
G:\

+ Scan result:
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\I2_LDVP.TMP\dec\00000AF4 -> Spyware.SideFind -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\I2_LDVP.TMP\dec\00000B46 -> TrojanDownloader.WebP2PInstaller -> Cleaned with backup
C:\Documents and Settings\Jerod Kirby\.jpi_cache\file\1.0\Dummy.class-1b5b6bd7-497661b6.class -> Trojan.Byteverify -> Cleaned with backup
C:\Documents and Settings\Jerod Kirby\.jpi_cache\file\1.0\VerifierBug.class-6a1afc2d-78e286d9.class -> Trojan.Byteverify -> Cleaned with backup
C:\Documents and Settings\Jerod Kirby\.jpi_cache\file\1.0\WebCounter.class-474f16b1-3870cafb.class -> Trojan.Java.Classloader.C -> Cleaned with backup
C:\Documents and Settings\Jerod Kirby\Desktop\MyFunCardsSetup2.0.3.20.exe -> Spyware.MyWebSearch -> Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Cleaned with backup
C:\Program Files\Common Files\kozk\kozkl.exe -> TrojanDownloader.TSUpdate.j -> Cleaned with backup
C:\Program Files\Common Files\kozk\kozkp.exe -> Spyware.Xupiter.m -> Cleaned with backup
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll -> Spyware.MyWebSearch -> Cleaned with backup
C:\Program Files\MSN Messenger\riched20.dll -> Spyware.Wesbar -> Cleaned with backup
C:\Program Files\MyWebSearch\bar\2.bin\F3CJPEG.DLL -> Spyware.MyWebSearch -> Cleaned with backup
C:\Program Files\MyWebSearch\bar\2.bin\F3HISTSW.DLL -> Spyware.MyWebSearch -> Cleaned with backup
C:\Program Files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR -> Spyware.MyWebSearch -> Cleaned with backup
C:\Program Files\MyWebSearch\bar\2.bin\F3RESTUB.DLL -> Spyware.Wesbar -> Cleaned with backup
C:\Program Files\MyWebSearch\bar\2.bin\F3SCHMON.EXE -> Spyware.MyWebSearch -> Cleaned with backup
C:\Program Files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL -> Spyware.Wesbar -> Cleaned with backup
C:\Program Files\MyWebSearch\bar\2.bin\M3HTML.DLL -> Spyware.MyWebSearch -> Cleaned with backup
C:\Program Files\MyWebSearch\bar\2.bin\M3OUTLCN.DLL -> Spyware.MyWebSearch -> Cleaned with backup
C:\Program Files\MyWebSearch\bar\2.bin\M3PLUGIN.DLL -> Spyware.MyWebSearch -> Cleaned with backup
C:\Program Files\MyWebSearch\bar\2.bin\M3SKIN.DLL -> Spyware.Wesbar -> Cleaned with backup
C:\Program Files\MyWebSearch\bar\2.bin\MWSOESTB.DLL -> Spyware.Wesbar -> Cleaned with backup
C:\Program Files\MyWebSearch\bar\2.bin\NPMYWEBS.DLL -> Spyware.MyWebSearch -> Cleaned with backup
C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL -> Spyware.MyWebSearch -> Cleaned with backup
C:\Program Files\SideFind\sfbho.dll -> Spyware.SideFind -> Cleaned with backup
C:\Program Files\SideFind\sidefind.dll -> Spyware.SideFind -> Cleaned with backup
C:\Program Files\SideFind\update\sidefind.exe -> Spyware.SideFind -> Cleaned with backup
C:\WINDOWS\ahjchacfnb.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll -> TrojanDownloader.WebP2PInstaller -> Cleaned with backup
C:\WINDOWS\farmmext.exe -> Spyware.ConsCorr -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\nem220.dll -> TrojanDownloader.Dyfuca -> Cleaned with backup
C:\WINDOWS\pyklhwqh.exe -> TrojanDownloader.IstBar.ij -> Cleaned with backup
C:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\WINDOWS\systb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\system32\bdl14026.exe -> Trojan.Revop.c -> Cleaned with backup
C:\WINDOWS\system32\f3PSSavr.scr -> Spyware.MyWebSearch -> Cleaned with backup
C:\WINDOWS\system32\mrtl.exe -> Trojan.Revop.b -> Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__DrPMon.dll -> Trojan.Agent.db -> Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__nbuivtw.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\wsem303.dll -> TrojanDownloader.Dyfuca.dt -> Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wupdsnff.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\I2_LDVP.TMP\dec\00000AF4 -> Spyware.SideFind -> Error during cleaning
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\I2_LDVP.TMP\dec\00000B46 -> TrojanDownloader.WebP2PInstaller -> Error during cleaning
C:\Documents and Settings\Jerod Kirby\.jpi_cache\file\1.0\Dummy.class-1b5b6bd7-497661b6.class -> Trojan.Byteverify -> Error during cleaning
C:\Documents and Settings\Jerod Kirby\.jpi_cache\file\1.0\VerifierBug.class-6a1afc2d-78e286d9.class -> Trojan.Byteverify -> Error during cleaning
C:\Documents and Settings\Jerod Kirby\.jpi_cache\file\1.0\WebCounter.class-474f16b1-3870cafb.class -> Trojan.Java.Classloader.C -> Error during cleaning
C:\Documents and Settings\Jerod Kirby\Cookies\jerod kirby@counter2.hitslink[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jerod Kirby\Cookies\jerod kirby@ehg-rr.hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jerod Kirby\Cookies\jerod kirby@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jerod Kirby\Desktop\MyFunCardsSetup2.0.3.20.exe -> Spyware.MyWebSearch -> Error during cleaning
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Error during cleaning
C:\Program Files\Common Files\kozk\kozkl.exe -> TrojanDownloader.TSUpdate.j -> Error during cleaning
C:\Program Files\Common Files\kozk\kozkp.exe -> Spyware.Xupiter.m -> Error during cleaning
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll -> Spyware.MyWebSearch -> Error during cleaning
C:\Program Files\MSN Messenger\riched20.dll -> Spyware.Wesbar -> Error during cleaning
C:\Program Files\MyWebSearch\bar\2.bin\F3CJPEG.DLL -> Spyware.MyWebSearch -> Error during cleaning
C:\Program Files\MyWebSearch\bar\2.bin\F3HISTSW.DLL -> Spyware.MyWebSearch -> Error during cleaning
C:\Program Files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR -> Spyware.MyWebSearch -> Error during cleaning
C:\Program Files\MyWebSearch\bar\2.bin\F3RESTUB.DLL -> Spyware.Wesbar -> Error during cleaning
C:\Program Files\MyWebSearch\bar\2.bin\F3SCHMON.EXE -> Spyware.MyWebSearch -> Error during cleaning
C:\Program Files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL -> Spyware.Wesbar -> Error during cleaning
C:\Program Files\MyWebSearch\bar\2.bin\M3HTML.DLL -> Spyware.MyWebSearch -> Error during cleaning
C:\Program Files\MyWebSearch\bar\2.bin\M3OUTLCN.DLL -> Spyware.MyWebSearch -> Error during cleaning
C:\Program Files\MyWebSearch\bar\2.bin\M3PLUGIN.DLL -> Spyware.MyWebSearch -> Error during cleaning
C:\Program Files\MyWebSearch\bar\2.bin\M3SKIN.DLL -> Spyware.Wesbar -> Error during cleaning
C:\Program Files\MyWebSearch\bar\2.bin\MWSOESTB.DLL -> Spyware.Wesbar -> Error during cleaning
C:\Program Files\MyWebSearch\bar\2.bin\NPMYWEBS.DLL -> Spyware.MyWebSearch -> Error during cleaning
C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL -> Spyware.MyWebSearch -> Error during cleaning
C:\Program Files\SideFind\sfbho.dll -> Spyware.SideFind -> Error during cleaning
C:\Program Files\SideFind\sidefind.dll -> Spyware.SideFind -> Error during cleaning
C:\Program Files\SideFind\update\sidefind.exe -> Spyware.SideFind -> Error during cleaning
C:\WINDOWS\ahjchacfnb.exe -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll -> TrojanDownloader.WebP2PInstaller -> Error during cleaning
C:\WINDOWS\farmmext.exe -> Spyware.ConsCorr -> Error during cleaning
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Error during cleaning
C:\WINDOWS\nem220.dll -> TrojanDownloader.Dyfuca -> Error during cleaning
C:\WINDOWS\pyklhwqh.exe -> TrojanDownloader.IstBar.ij -> Error during cleaning
C:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Error during cleaning
C:\WINDOWS\systb.exe -> Trojan.Imiserv.c -> Error during cleaning
C:\WINDOWS\system32\bdl14026.exe -> Trojan.Revop.c -> Error during cleaning
C:\WINDOWS\system32\f3PSSavr.scr -> Spyware.MyWebSearch -> Error during cleaning
C:\WINDOWS\system32\mrtl.exe -> Trojan.Revop.b -> Error during cleaning
C:\WINDOWS\system32\__delete_on_reboot__DrPMon.dll -> Trojan.Agent.db -> Error during cleaning
C:\WINDOWS\system32\__delete_on_reboot__nbuivtw.exe -> Trojan.Agent.cp -> Error during cleaning
C:\WINDOWS\wsem303.dll -> TrojanDownloader.Dyfuca.dt -> Error during cleaning
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent.b -> Error during cleaning
C:\WINDOWS\wupdsnff.exe -> Spyware.BetterInternet -> Error during cleaning


::Report End

Edited by jerodk1975, 04 June 2005 - 07:05 AM.

  • 0

Advertisements


#2
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Please download, install, and update the free version of Ewido trojan scanner:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Exit Ewido. DO NOT scan yet.
Download CCleaner and install, but do not run it yet.

Please download the Nail/Aurora Spyware Fix from NoIdea.US. (Alternate download link: dknoppix mirror)

Unzip it to the desktop but do NOT run yet.

Reboot into Safe Mode. To do this with Windows XP, you can follow these steps from Microsoft:
  • Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears.
  • Select an option when the Windows Advanced Options menu appears, and then press ENTER.
  • When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.
Once in Safe Mode, please double-click on nailfix.cmd that you unzipped earlier. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next, run Ewido again.
  • Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
  • If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Then run HijackThis, click Scan, and place a checkmark by the following item:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Now, run CCleaner.
  • Uncheck "Cookies" under "Internet Explorer".
  • helpers, if user is running Firefox: ,then click on the "Applications" tab and uncheck "Cookies" under "Firefox".
  • Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
  • 0

#3
jerodk1975

jerodk1975

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I did everything you mentioned in the previous post. Can you take a look and my HijackThis file and tell me what I need to do next? Thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 8:36:36 AM, on 6/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HJT\HijackThis-1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
O1 - Hosts: 218.44.214.123 www.paypal.com
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll (file missing)
O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [kozk] C:\PROGRA~1\COMMON~1\kozk\kozkm.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://bar.mywebsear...earch.html?p=ZU
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\gbnryxir.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - file://C:\install.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093227113483
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://moviefone.kon...ry/main/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{969B30B5-30DC-4E63-9E42-9DAF00214E2B}: NameServer = 199.72.1.1,199.72.1.6
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

Ewido Scan

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:21:01 AM, 6/4/2005
+ Report-Checksum: 3F53155

+ Date of database: 6/3/2005
+ Version of scan engine: v3.0

+ Duration: 310 min
+ Scanned Files: 296206
+ Speed: 15.88 Files/Second
+ Infected files: 16
+ Removed files: 8
+ Files put in quarantine: 8
+ Files that could not be opened: 0
+ Files that could not be cleaned: 8

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
G:\
C:\
G:\

+ Scan result:
C:\Documents and Settings\Jerod Kirby\Cookies\jerod kirby@a.websponsors[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jerod Kirby\Cookies\jerod kirby@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jerod Kirby\Cookies\jerod kirby@data.coremetrics[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jerod Kirby\Cookies\jerod kirby@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jerod Kirby\Cookies\jerod kirby@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jerod Kirby\Cookies\jerod kirby@p[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jerod Kirby\Cookies\jerod kirby@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\ahjchacfnb.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Jerod Kirby\Cookies\jerod kirby@a.websponsors[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Jerod Kirby\Cookies\jerod kirby@atdmt[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Jerod Kirby\Cookies\jerod kirby@data.coremetrics[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Jerod Kirby\Cookies\jerod kirby@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Jerod Kirby\Cookies\jerod kirby@fastclick[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Jerod Kirby\Cookies\jerod kirby@p[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Jerod Kirby\Cookies\jerod kirby@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\WINDOWS\ahjchacfnb.exe -> Spyware.BetterInternet -> Error during cleaning


::Report End
  • 0

#4
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
jerodk1975, what filesharing program do you use?

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

Rescan with HijackThis and place a checkmark next to the following entries:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
O1 - Hosts: 218.44.214.123 www.paypal.com
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O2 - BHO: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll (file missing)
O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file)
O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKCU\..\Run: [kozk] C:\PROGRA~1\COMMON~1\kozk\kozkm.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://bar.mywebsear...earch.html?p=ZU
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - file://C:\install.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weat...uginstaller.cab

P2P Networking is a useless Kazaa add-on, I suggest you fix this line, and you will have to remove the main program as well:

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART


Now, close all windows including your browser and then click "Fix Checked" in Hijackthis.

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
To get back to normal mode just restart the computer as you normally would.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

P2P Networking (if you chose to fix it with HJT)
Internet Optimizer
My Search Bar
MyWay Speed Bar
My Web Search Bar
ISTbar
ISearch Toolbar

Please delete these folders using Windows Explorer(if present):

C:\Program Files\MyWebSearch\
C:\Program Files\SideFind\
C:\WINDOWS\System32\P2P Networking\ (again, if you chose to fix it)

Please delete these files using Windows Explorer(if present):

C:\WINDOWS\nem220.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\System32\toolbar.dll
C:\PROGRAM FILES\COMMON FILES\kozk\kozkm.exe
C:\install.cab
C:\WINDOWS\ahjchacfnb.ex

Next, clean out all the temporary files and cookies on your system. Go to Start > Run and enter: cleanmgr. Let it scan your system for files to remove. Check these three boxes and then press ok to remove: Temporary Files, Temporary Internet Files, Recycle Bin.

Reboot normally and post a fresh HJT log for review.
  • 0

#5
jerodk1975

jerodk1975

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I used to use Kazaa and then I also used Azureus. I haven't used Kazaa in a long time but I did have some trouble getting rid of Azureus. I clicked on a new filesharing program a few weeks ago and I am wondering if this is where all this crap came from. (don't know its name)

Let me know what's next. :tazz: Thanks again!

Logfile of HijackThis v1.99.1
Scan saved at 6:44:11 AM, on 6/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HJT\HijackThis-1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\gbnryxir.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093227113483
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://moviefone.kon...ry/main/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{969B30B5-30DC-4E63-9E42-9DAF00214E2B}: NameServer = 199.72.1.1,199.72.1.6
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
  • 0

#6
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
jerodk1975, you very well may have picked up this malware from clicking a link to a P2P application, it's that easy. Kazaa is bad, Azureus is not. For clean P2P applications, read here
http://www.spywarein...m/articles/p2p/.

Rescan with HJT and check this entry:

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\gbnryxir.exe

Remember to close all Windows and browsers for clicking 'Fix Checked'.

Delete this file: C:\Program Files\Internet Explorer\gbnryxir.exe

Reboot and Download http://www.ccleaner.com/ccdownload.php, install and run it to delete any files from "temp", "tmp" folders (DON`T USE THE ISSUSES TAB). Just start Ccleaner and click: Run Cleaner. This cleaning should be done on a regular basis.

Post one more HJT log for review :tazz:.
  • 0

#7
jerodk1975

jerodk1975

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
When you say "don't use the issue tab" does that mean that I should uncheck everything? Should I uncheck anything after the installation or just let it run as it is?

I am perfectly find with losing any cookies or history, I just don't want to erase the wrong thing.
  • 0

#8
jerodk1975

jerodk1975

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Also, I couldn't find this file:

Delete this file: C:\Program Files\Internet Explorer\gbnryxir.exe

I was able to remove it from the log but I can't find it in the folder. Is this a problem?
  • 0

#9
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
Allow ccleaner to run as it is. It's not a problem that you can't find that file, just being thorough :tazz:
  • 0

#10
jerodk1975

jerodk1975

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I ran ccleaner just as you said and then I ran another Hijackthis scan. Let me know if there is anything that looks out of place. Thanks again!

Logfile of HijackThis v1.99.1
Scan saved at 10:27:21 PM, on 6/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wisptis.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis-1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093227113483
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://moviefone.kon...ry/main/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{969B30B5-30DC-4E63-9E42-9DAF00214E2B}: NameServer = 199.72.1.1,199.72.1.6
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
  • 0

#11
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
You're log is clean, good work :tazz:.

Windows System Restore can and does backup malware files which can then be reinstalled if you ever restore to a previous point. To prevent this, we need to purge your Restore points:

Go to Start->Control Panel->System, System Restore. Click "Turn off System Restore". That will erase all restore points. You will be prompted to reboot. When Windows restarts, immediately go back in and uncheck "Turn off System Restore" to re-enable it. Windows will automatically create a new restore point.

To reduce re-infection potential for malware in the future:

Please read Tony Klein's article: So how did I get infected in the first place?.

It is extremely important to keep Windows and Internet Explorer up-to-date. Please go to http://v5.windowsupd...t.aspx?ln=en-us regularly and install ALL critical updates.

It would be a good idea to install a firewall if you don't have one . Here are a few free ones:
Kerio Personal Firewall
Zone Alarm
Sygate Personal Firewall

I strongly recommend installing three free programs: SpywareBlaster, SpywareGuard, and IE/Spyad.

Use AdAware SE and Spybot S&D regularly to scan your system. Links to excellent tutorials on these programs are in my signature below.

Finally, I suggest downloading and trying Mozilla Firefox browser. Firefox is a free fully functional browser. It's much safer than Internet Explorer.
  • 0

#12
jerodk1975

jerodk1975

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
THANK YOU SO MUCH FOR YOUR HELP!

I would never have been able to figure this out myself. I really appreciate all of the time and effort you put into getting me back up and running! I will definitely come back to this site if I have any issues. Thanks again Insipid!
  • 0

#13
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
G2G

Glad we could help. :tazz:

As this issue appears resolved, this topic is closed. If you need it reopened, please contact a staff member.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP