Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora- Help me fight it! [RESOLVED]


  • This topic is locked This topic is locked

#1
Nu-clear

Nu-clear

    Member

  • Member
  • PipPip
  • 10 posts
Hello!

First: Great forum, keep it up guys! :tazz:

I have Aurora and some of it's components on my computer for a week now and i just can't get rid of them. I would need some of your technical help guys, please!

I have Avast -antivirus system and it constantly pops me alert. Anoying like [bleep]. My pour sick computer.
Maybe i can also ask here, what to do with some pop ups at the start of the system.
Like can't find nail.exe...

Here is the log. I am more than gratefull for any help.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\czkzqe.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Pacient\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ahbkpamsw...VdPnxwYSN/W.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clusdgzgv...qOk/VwTs58.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {02AAF749-EB17-6362-0391-4FB3DF7F85B9} - C:\DOCUME~1\Pacient\APPLIC~1\RULESI~1\hide hold.exe (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {49AE3229-9216-7BC9-D323-60550CA77B68} - C:\WINDOWS\System32\hcb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {596902EF-76C9-673A-55A8-54551BAA1D75} - C:\DOCUME~1\Pacient\APPLIC~1\RULESI~1\AmokBeep.exe
O2 - BHO: (no name) - {601ED020-FB6C-11D3-87D8-0050DA59922B} - (no file)
O2 - BHO: Htm Style Noun - {717F06D7-FF38-E681-AA77-F343BA15F008} - C:\PROGRA~1\RULESI~1\remoteactive.dll (file missing)
O2 - BHO: kbdltm - {75450D61-98E1-97F9-6D15-1B3A89B557E8} - C:\WINDOWS\System32\kbdltm.dll (file missing)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll (file missing)
O2 - BHO: CCheckUrlExt Object - {A9EEF0D7-5695-45BA-8943-ED3B95A50BD2} - C:\WINDOWS\System32\CheckUrl.dll
O3 - Toolbar: pokemulti - {67020674-9ED6-0438-8543-79FABF87171E} - C:\PROGRA~1\RULESI~1\remoteactive.dll (file missing)
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [EHKO] C:\WINDOWS\EHKO.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\Pacient\My Documents\MsgPlus.exe"
O4 - HKLM\..\Run: [InfoPenMSN] C:\Program Files\InfoKing\InfoPenMSN\Pro\InfoPenIM.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [2 proxy poll ooze] C:\Documents and Settings\All Users\Application Data\01 bib 2 proxy\five drv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ProxyStopBibClose] C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\64Knob.exe
O4 - HKLM\..\Run: [ikmuphd] c:\windows\system32\czkzqe.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WallPaper] C:\Documents and Settings\Pacient\My Documents\My Pictures\Bikini\WPAPER.EXE
O4 - HKCU\..\Run: [Oest] C:\Documents and Settings\Pacient\Application Data\aaha.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Documents and Settings\Pacient\My Documents\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Fxqhbse] C:\WINDOWS\System32\eohmx.exe
O4 - HKCU\..\Run: [Bird view] C:\DOCUME~1\Pacient\APPLIC~1\PROGRA~1\FOR MAGS.exe
O4 - HKCU\..\Run: [Spanish] C:\Program Files\Learn To Speak German Demo V2.8\Study Conversation.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.6.cab
O16 - DPF: {2AABC39C-B188-4E90-A343-966AFF556544} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5....v45/yacscom.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} - http://install.servi...StarInstall.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{C61507A1-9834-4AE4-8B94-585704D08F9B}: NameServer = 193.189.160.11 193.189.160.12
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Nu-clear

The top part of your HJT.log is missing. allway post the full log

Please read through the instructions before you start (you may want to print this out).

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
Download nails.cmd fix
Unzip it to the desktop but please do NOT run it yet.

Please download sphjfix Save it to your desktop

Download Pocket Killbox and unzip it; save it to your Desktop.

Please set your system to show all files; please see here if you're unsure how to do this.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Now run the nails.cmd fix

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda, Ewido HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#3
Nu-clear

Nu-clear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hello thatman!

Thanks for helping. I followed your instructions (very nice :tazz: ), but it seems that nailix from noidea is, as winRAR says, either multipart or corrupt ZIP ;)

What should i do now?

Edited by Nu-clear, 15 June 2005 - 08:34 AM.

  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Nu-clear

a.) Copy the contents in red below to Notepad.
b.) Save the file as nailfix.cmd
c.) Change the Save as Type to All Files.
d.) Save this file to the desktop.


@ECHO OFF
REM Originally by Swandog46 and miekiemoes from SpywareInfo.Com.
REM Modified by RACooper to combine 2K and XP routines to one file.

if exist process.exe (
process -k explorer.exe
) ELSE (
cmd /c "echo Process.exe missing. Please unzip completely and rerun this file.&&pause&&exit"
)

cd %windir%
Nail.exe /fullremove

del /a /f nail.exe svcproc.exe
cd %windir%\system32
del /a /f DrPMon.dll

echo REGEDIT4 > nailfix.reg
echo. >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_SvcProc] >> nailfix.reg
echo [-HKEY_CURRENT_USER\Software\_rtneg3] >> nailfix.reg
echo [-HKEY_CURRENT_USER\Software\aurora] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{0962DA67-DB64-465C-8CD7-CBB357CAF825}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{356B2BD0-D206-4E21-8C85-C6F49409C6A9}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{52ADD86D-9561-4C40-B561-4204DBC139D1}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{999A06FF-10EF-4A29-8640-69E99882C26B}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{018C5406-AEE6-4A68-980F-2CEB1E9416FB}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{0A7FC040-F84A-4AD7-9439-798B6C0F861E}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{32A9D21F-F510-44DC-9EA6-0456EDA04668}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{4562B6F3-DAF8-464E-87B7-5464575F0D6A}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{C93CC79D-02D5-45B0-BE39-7F5B0E5DDA31}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{DA4B919F-B757-4E32-8D79-DEC5C2704C4B}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\trfdsk.amo] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\trfdsk.iiittt] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\trfdsk.momo] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\trfdsk.ohb] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\TypeLib\{DA15C9A2-C30A-4761-922A-5DFE7C9A1F67}] >> nailfix.reg
echo [-HKEY_CURRENT_USER\Software\Bolger] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon] >> nailfix.reg

regedit /s nailfix.reg
del nailfix.reg

start explorer.exe
exit


e.) Double-click on nailfix.cmd
f.) When it asks you to merge the information to the registry click Yes.


Kc :tazz:
  • 0

#5
Nu-clear

Nu-clear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Ok!

It seems like a good idea. I saved nailix.cmd. I clicked it and it says i should unzip whoule file (or something). A bit latter my Ewido collapsed. I deleted/made a new nailfix.cmd. When i double click it says this application doesn't exist. :tazz:

(btw. I completed all you next steps from your first reply).

What is next?

EDIT: I deleted again, made a new one. It says like the first time that "process.exe" is missing. Please unzip completly and rerun this file.

Edited by Nu-clear, 15 June 2005 - 08:48 AM.

  • 0

#6
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Nu-clear

Please post the hijackthis.log and the panda.log

Thanks

Kc :tazz:
  • 0

#7
Nu-clear

Nu-clear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Logfile of HijackThis v1.99.1
Scan saved at 16:59:00, on 15/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
D:\SAFET\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wgncvviin...dPnxwYSN/W.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clusdgzgv...qOk/VwTs58.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {02AAF749-EB17-6362-0391-4FB3DF7F85B9} - C:\DOCUME~1\Pacient\APPLIC~1\RULESI~1\hide hold.exe (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {49AE3229-9216-7BC9-D323-60550CA77B68} - C:\WINDOWS\System32\hcb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {596902EF-76C9-673A-55A8-54551BAA1D75} - C:\DOCUME~1\Pacient\APPLIC~1\RULESI~1\AmokBeep.exe
O2 - BHO: (no name) - {601ED020-FB6C-11D3-87D8-0050DA59922B} - (no file)
O2 - BHO: Htm Style Noun - {717F06D7-FF38-E681-AA77-F343BA15F008} - C:\PROGRA~1\RULESI~1\remoteactive.dll (file missing)
O2 - BHO: kbdltm - {75450D61-98E1-97F9-6D15-1B3A89B557E8} - C:\WINDOWS\System32\kbdltm.dll (file missing)
O3 - Toolbar: pokemulti - {67020674-9ED6-0438-8543-79FABF87171E} - C:\PROGRA~1\RULESI~1\remoteactive.dll (file missing)
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [EHKO] C:\WINDOWS\EHKO.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\Pacient\My Documents\MsgPlus.exe"
O4 - HKLM\..\Run: [InfoPenMSN] C:\Program Files\InfoKing\InfoPenMSN\Pro\InfoPenIM.exe
O4 - HKLM\..\Run: [2 proxy poll ooze] C:\Documents and Settings\All Users\Application Data\01 bib 2 proxy\five drv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ProxyStopBibClose] C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\64Knob.exe
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WallPaper] C:\Documents and Settings\Pacient\My Documents\My Pictures\Bikini\WPAPER.EXE
O4 - HKCU\..\Run: [Oest] C:\Documents and Settings\Pacient\Application Data\aaha.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Documents and Settings\Pacient\My Documents\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Fxqhbse] C:\WINDOWS\System32\eohmx.exe
O4 - HKCU\..\Run: [Bird view] C:\DOCUME~1\Pacient\APPLIC~1\PROGRA~1\FOR MAGS.exe
O4 - HKCU\..\Run: [Spanish] C:\Program Files\Learn To Speak German Demo V2.8\Study Conversation.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {2AABC39C-B188-4E90-A343-966AFF556544} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5....v45/yacscom.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} - http://install.servi...StarInstall.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{C61507A1-9834-4AE4-8B94-585704D08F9B}: NameServer = 193.189.160.11 193.189.160.12
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

AND MY PANDA LOG: (my head hurts baaaaad from this one, LOL!)


Incident Status Location

Adware:Adware/Lop No disinfected C:\DOCUME~1\Pacient\APPLIC~1\RULESI~1\AmokBeep.exe
Adware:Adware/Lop No disinfected c:\docume~1\pacient\locals~1\temp\smnngflf.exe
Adware:Adware/Lop No disinfected C:\DOCUME~1\ALLUSE~1\APPLIC~1\DASHAT~1\64Knob.exe
Adware:Adware/Gator No disinfected C:\DOCUME~1\Pacient\LOCALS~1\Temp\bundle.inf
Adware:Adware/MyWay No disinfected Windows Registry
Spyware:Spyware/ClearSearch No disinfected C:\DOCUME~1\Pacient\LOCALS~1\Temp\ClrSch
Adware:Adware/Lop No disinfected C:\Program Files\C2Media
Adware:Adware/StatBlaster No disinfected Windows Registry
Adware:Adware/FunWeb No disinfected C:\Program Files\FunWebProducts
Adware:Adware/Apropos No disinfected C:\DOCUME~1\Pacient\LOCALS~1\Temp\~apropos0
Adware:Adware/FavoriteMan No disinfected Windows Registry
Spyware:Spyware/TVMedia No disinfected C:\DOCUME~1\Pacient\LOCALS~1\Temp\TVMUpdater.exe
Adware:Adware/SideSearch No disinfected C:\Documents and Settings\Pacient\Application Data\Lycos
Adware:Adware/IPInsight No disinfected C:\DOCUME~1\Pacient\LOCALS~1\Temp\alchem.???
Adware:Adware/BlazeFind No disinfected Windows Registry
Adware:Adware/MyDailyHoroscopeNo disinfected C:\Program Files\My Daily Horoscope
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\exul?.exe
Adware:Adware/Megasearch No disinfected C:\WINDOWS\system32\megaV2Wbr.dll
Adware:Adware/MyWebSearch No disinfected Windows Registry
Adware:Adware/Transponder No disinfected C:\DOCUME~1\Pacient\LOCALS~1\Temp\DrTemp
Adware:Adware/Aurora No disinfected C:\WINDOWS\nail.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\01 bib 2 proxy\base default.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\01 bib 2 proxy\five drv.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\01 bib 2 proxy\Load lies.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\01 bib 2 proxy\Meal Axis.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\01 bib 2 proxy\Ref That.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\01 bib 2 proxy\SpamSize.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\1Settings.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\64Knob.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Amokless.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Ante4.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\AXIS PLATFORM.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Baitlocks.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Bits 01.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Boob Peak.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Cake About.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Camp aim.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Cash download.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\clock ooze.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Corn Dog.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Debug live.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Dogfilm.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\DUPE PROXY.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\film exit.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Findbash.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\First Team.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\flap rect.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Help Copy.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\htmsite.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Info Lies.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\isodate.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Lite Frag.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\lite link.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\log chin.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Loudmapi.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Math This.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\meal aim.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Mix camp.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\mix cool.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\nurb flag.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\NURB PLATFORM.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\NurbInternet.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\OBJBIRD.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Once Junk.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\OptionElse.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\OptionMeet.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\PeakGram.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Pile Sixth.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Poke Five.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\SafeVga.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\sect cdrom.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\SETTINGS FIND.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Shim online.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\site soft.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Third16.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\this creative.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\tick name.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\TickBrowse.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Time third.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\up spam.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Viewmeet.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\Way Up.exe
Adware:Adware/BuddyLinks No disinfected C:\Documents and Settings\Pacient\!update.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\awgjsupy.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\bkwxreqn.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\cbasihyh.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\chxqcawv.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\coialkny.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\cyyvrarw.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\dkfskqfb.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\dtfbange.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\dvsjgyja.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\dxptyked.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\encusssy.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\fkrhsodh.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\FOR MAGS.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\fvejllrt.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\gcvhttik.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\gxniiijk.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\Helpplusdartlies.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\hsseynko.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\hvuckxzs.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\ilovocbq.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\jqrmpppr.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\jwledycq.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\jzjdelsi.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\kajyrwdi.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\kywmeldb.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\lddhuczo.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\ljyztoas.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\llmyyzxt.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\lvyjvlje.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\madaxawz.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\mbmbgrsu.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\muuiukzf.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\mvohriqh.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\mwmojgel.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\nbpabykq.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\nqbovhoq.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\oeekhyfs.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\oibzarww.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\owqqzhrl.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\pjnfxrtq.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\qrckgsgv.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\reukitgy.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\rosjojwt.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\seleznpy.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\stwqycmr.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\tffauhiy.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\tibrekql.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\tjzrlymp.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\tqrfjqmr.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\uwdvzeji.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\vkcfanmz.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\wlvlcnbc.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\wqmkyiru.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\wxachzge.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\wxkbftek.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\xelkqabo.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\xkatpzjv.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\xkcztnlv.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\xrckeohk.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\ycnpnjxq.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\yghhyexi.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\yrcnvaxr.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\zlhdddyp.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\zmuonqyh.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\programgrim\zouieqdy.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Pacient\Application Data\rule sign\AmokBeep.exe
Virus:Trj/Java.Binny.A Disinfected C:\Documents and Settings\Pacient\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-58a2c508-5b55be1f.zip[Mein.class]
Virus:Trj/Java.Binny.A Disinfected C:\Documents and Settings\Pacient\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-58a2c508-5b55be1f.zip[Beyond.class]
Virus:Trj/Java.Binny.A Disinfected C:\Documents and Settings\Pacient\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-58a2c508-5b55be1f.zip[binny.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Pacient\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-655c56ee-35206e49.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Pacient\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-655c56ee-35206e49.zip[VerifierBug.class]
Viru
  • 0

#8
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Nu-clear

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop.

Reinstall ewido

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan save the log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Using Windows Explorer, locate the following files/folders, and delete them: If found
C:\Documents and Settings\All Users\Application Data\01 bib 2 proxy<--Delete the whole folder
C:\Documents and Settings\All Users\Application Data\dash atom proxy stop<--Delete the whole folder
C:\Documents and Settings\Pacient\Application Data\programgrim<--Delete the whole folder
C:\Documents and Settings\Pacient\Application Data\rule sign<--Delete the whole folder
C:\Program Files\C2Media<--Delete the whole folder
C:\Program Files\FunWebProducts<--Delete the whole folder
C:\Program Files\My Daily Horoscope<--Delete the whole folder

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run Ad-aware se let remove all it finds

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one. has been pasted in whereupon you should answer Yes
C:\Documents and Settings\Pacient\!update.exe
C:\DOCUME~1\Pacient\APPLIC~1\RULESI~1\AmokBeep.exe
c:\docume~1\pacient\locals~1\temp\smnngflf.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\DASHAT~1\64Knob.exe
C:\DOCUME~1\Pacient\LOCALS~1\Temp\bundle.inf
C:\DOCUME~1\Pacient\LOCALS~1\Temp\ClrSch
C:\DOCUME~1\Pacient\LOCALS~1\Temp\~apropos0
C:\DOCUME~1\Pacient\LOCALS~1\Temp\TVMUpdater.exe
C:\Documents and Settings\Pacient\Application Data\Lycos
C:\DOCUME~1\Pacient\LOCALS~1\Temp\alchem.exe
C:\WINDOWS\system32\exul?.exe
C:\WINDOWS\system32\megaV2Wbr.dll
C:\DOCUME~1\Pacient\LOCALS~1\Temp\DrTemp
C:\WINDOWS\nail.exe[/B]
Let the system reboot.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda, Ewido and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#9
Nu-clear

Nu-clear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks Thatman!

I will get on with the things right away... :tazz:
  • 0

#10
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Nu-clear

Ok I will be waiting

Kc :tazz:
  • 0

Advertisements


#11
Nu-clear

Nu-clear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Thatman!

Hehe.
I was following the procedure. Latter on i found out I left some of the files out on the deletind them with windows explorer. So i went back to repeat all the procedure. When i was about to connect to the internet (from the reboot) everything (windows) got stucked. The only way i could restart my computer was with the restart button.
After few tries i let it calm down and i tried to get to it today. It doesn't even turn on. (It is also possible some of my family tried to turn it on meanwhille).
I was also thinking about to pu on windows again. But now.....
I don't know... Maybe my computer is ready for some service, hehe.
  • 0

#12
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Nu-clear

Check the power to the system and all power leads, plus check the fuse in the plug.

Kc :tazz:
  • 0

#13
Nu-clear

Nu-clear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Thatman!

I am answering from my computer... Yeaaay! ;)
I don't know has been done to it exactly, but now i need your help again. Please!
I am really thankfull for your help and all the time you have taken for me.
I really wish to put my computer in the good healthy state.

Here is my HJT log and i patiently wait for your further sugestions. :tazz:
Have a nice day!

Thanks again,
Nu-clear

Edit: Someone has moved all "invisIble files" from the desktop, is this really bad. I think it is somehow posible to locate them.

Logfile of HijackThis v1.99.1
Scan saved at 19:44:59, on 19/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\SAFET\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nvzwylnwi...dPnxwYSN/W.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clusdgzgv...qOk/VwTs58.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02AAF749-EB17-6362-0391-4FB3DF7F85B9} - C:\DOCUME~1\Pacient\APPLIC~1\RULESI~1\hide hold.exe (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {49AE3229-9216-7BC9-D323-60550CA77B68} - C:\WINDOWS\System32\hcb.dll (file missing)
O2 - BHO: (no name) - {596902EF-76C9-673A-55A8-54551BAA1D75} - C:\DOCUME~1\Pacient\APPLIC~1\RULESI~1\AmokBeep.exe (file missing)
O2 - BHO: (no name) - {601ED020-FB6C-11D3-87D8-0050DA59922B} - (no file)
O2 - BHO: Htm Style Noun - {717F06D7-FF38-E681-AA77-F343BA15F008} - C:\PROGRA~1\RULESI~1\remoteactive.dll (file missing)
O2 - BHO: kbdltm - {75450D61-98E1-97F9-6D15-1B3A89B557E8} - C:\WINDOWS\System32\kbdltm.dll (file missing)
O3 - Toolbar: pokemulti - {67020674-9ED6-0438-8543-79FABF87171E} - C:\PROGRA~1\RULESI~1\remoteactive.dll (file missing)
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [EHKO] C:\WINDOWS\EHKO.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\Pacient\My Documents\MsgPlus.exe"
O4 - HKLM\..\Run: [InfoPenMSN] C:\Program Files\InfoKing\InfoPenMSN\Pro\InfoPenIM.exe
O4 - HKLM\..\Run: [2 proxy poll ooze] C:\Documents and Settings\All Users\Application Data\01 bib 2 proxy\five drv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ProxyStopBibClose] C:\Documents and Settings\All Users\Application Data\dash atom proxy stop\64Knob.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WallPaper] C:\Documents and Settings\Pacient\My Documents\My Pictures\Bikini\WPAPER.EXE
O4 - HKCU\..\Run: [Oest] C:\Documents and Settings\Pacient\Application Data\aaha.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Documents and Settings\Pacient\My Documents\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Fxqhbse] C:\WINDOWS\System32\eohmx.exe
O4 - HKCU\..\Run: [Bird view] C:\DOCUME~1\Pacient\APPLIC~1\PROGRA~1\FOR MAGS.exe
O4 - HKCU\..\Run: [Spanish] C:\Program Files\Learn To Speak German Demo V2.8\Study Conversation.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2AABC39C-B188-4E90-A343-966AFF556544} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5....v45/yacscom.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C61507A1-9834-4AE4-8B94-585704D08F9B}: NameServer = 193.189.160.11 193.189.160.12
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

Edited by Nu-clear, 19 June 2005 - 11:59 AM.

  • 0

#14
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Nu-clear

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. Don't run yet


Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Run Ad-aware se let remove all it finds

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Reboot as normal

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda, Ewido and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#15
Nu-clear

Nu-clear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hey Thatman!

I have did some panda scaning meanwhile.
Log was cut really short:


Incident Status Location

Adware:Adware/Gator No disinfected C:\WINDOWS\gator*.log
Adware:Adware/MyWay No disinfected Windows Registry
Adware:Adware/SideSearch No disinfected C:\Documents and Settings\Pacient\Application Data\Lycos
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/MyWebSearch No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.ini
Adware:Adware/FunWeb No disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.6.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorHDPlugin.log
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Virus:Eicar.Mod No disinfected D:\Kaspersky\English\Kaspersky Anti-Virus\data1.cab[eicar.html]
Virus:Eicar.Mod No disinfected D:\Kaspersky\French\Kaspersky Anti-Virus\data1.cab[eicar.html]
Virus:Eicar.Mod No disinfected D:\Kaspersky\German\Kaspersky Anti-Virus\data1.cab[eicar.html]
Virus:Eicar.Mod No disinfected D:\Kaspersky\Kaspersky Anti-Virus\data1.cab[eicar.html]


-From this list i manualy deleted whole kaspersky folder (this was NEVER used, just put on)
-Then i started adaware from the reboot and it didn't find any threats.

What do you think? Am I healthy?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP