Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Getting rid of Aurora Spyware [RESOLVED]


  • This topic is locked This topic is locked

#1
grrlpwr

grrlpwr

    Member

  • Member
  • PipPip
  • 38 posts
Hi,
I have followed all the directions that you suggested before I could post the "hijackthis" log. One of our computers at work is clearly infected with Aurora spyware and no matter what anti-spyware product I use, cannot clear it off for good.

Below is my hijackthis log- any help to get rid of this would be greatly appreciated.

grrlpwr
-----------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 1:59:05 PM, on 6/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
c:\windows\system32\rcdnwuc.exe
C:\Program Files\Netropa\Traymon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\aclu\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [noxgxdo] c:\windows\system32\rcdnwuc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\office2000\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst0_x.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create and Print ActiveX Plug-in) - http://www.imgag.com...stall/AxCtp.cab
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.rich...st/twophase.cab
O16 - DPF: {8B6193F1-837F-11D4-89E6-0050DA666184} (Sol2axctl Class) - http://download.soli...d/solitaire.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#2
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi grrlpwr and welcome to GeeksToGo! My name is Excal and I will be helping you.

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

I noticed that your HiJackthis.exe is located on your desktop, make sure to save HijackThis in its own folder (i.e. C:\HJT). This is very important, so HiJackThis can save backups!

Please download the trial version of Ewido Security Suite Here
Install it, and update the definitions to the newest files. Do NOT run a scan yet. (if you already have, please just update)

Please download Nailfix from Here
Unzip it to the desktop but please do NOT run it yet.

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Go to Start->Run and type in services.msc and hit OK. Then look for System Startup Service (SvcProc) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

5. Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)

C:\WINDOWS\Nail.exe

6. Once in Safe Mode, please double-click on
Nailfix.cmd Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

7. Then please run Ewido, and run a full scan. Post the log from the scan here for me.

8. Close all browsers, windows and unneeded programs.

9. Open HiJack and do a scan.

10. Put a Check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot
O4 - HKLM\..\Run: [noxgxdo] c:\windows\system32\rcdnwuc.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe


11. click the Fix Checked box

12. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Ebates_MoeMoneyMaker

13. Please remove the following folders using Windows Explorer (if present):

C:\Program Files\Ebates_MoeMoneyMaker

14. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\systb.dll
c:\windows\system32\ossproxy.exe
c:\windows\system32\rcdnwuc.exe
c:\windows\SvcProc.exe
C:\WINDOWS\Nail.exe


15. Run the program CleanUp!

16. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

17. Please post an Active scan log , Ewido Scan log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#3
grrlpwr

grrlpwr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Hi,
Thank you for all your help. I apologize for taking so long to get back to you- I was out of town and away from the infected computer.

Here are all my logs:

ActiveScan:

Incident Status Location

Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/FunWeb No disinfected Windows Registry
Adware:Adware/MyWebSearch No disinfected C:\Program Files\MyWebSearch
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/FunWeb No disinfected C:\Program Files\HijackThis\backups\backup-20050624-133754-653.inf
Spyware:Spyware/MarketScore No disinfected C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\01FA4968-EEA7-4E1B-889E-1E031D\2DB7B535-AD93-4A02-BD7D-7B0B9D
Adware:Adware/IPInsight No disinfected C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\339D96C2-9E5D-4217-97B7-FBF15E\E77AF81C-2B9E-42D6-8D87-45FC9A
Adware:Adware/IPInsight No disinfected C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\5FF09FA0-F8A1-4633-8695-464984\595471EB-D5F9-4CAA-A0A9-D26212
Adware:Adware/IPInsight No disinfected C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\5FF09FA0-F8A1-4633-8695-464984\D996A3CB-5AE0-442A-BE99-45AB60
Adware:Adware/Transponder No disinfected C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\66F3546D-5467-4D2C-A988-4995B4\5E171226-EE84-42EE-9B81-977BAE
Adware:Adware/MultiMPP No disinfected C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\6BBE7735-E441-48A3-9E68-6ED327\3BB732AD-3C84-4DF8-9271-2800B5
Spyware:Spyware/MarketScore No disinfected C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\94546EE3-A162-420E-B212-641E2D\B7850DFE-B909-4007-BCC5-47387A
Spyware:Spyware/MarketScore No disinfected C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\94546EE3-A162-420E-B212-641E2D\D4722A5C-F795-4303-9026-6689E3
Adware:Adware/IPInsight No disinfected C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\BB4428BD-33B9-4D13-90B5-009530\A395E849-5F5A-4C5C-BE83-E98E40
Adware:Adware/MultiMPP No disinfected C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\E115709E-8A2E-4496-8F28-F2C9B2\740047AD-B9A5-4B08-9A87-BE3944
Adware:Adware/Transponder No disinfected C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\F6DFBE17-67AE-4153-8AE7-52FB3F\7E6F0824-63F9-4624-8131-5645B7
Virus:W32/Mytob.FT.worm Disinfected Local Folders\Deleted Items\IMPORTANT NOTIFICATION\[account-details.zip][account-details.htm .scr]
Virus:W32/Mytob.FT.worm Disinfected Local Folders\Deleted Items\You have successfully updated your password\[account-password.zip][account-password.htm .exe]
Virus:W32/Mytob.FT.worm Disinfected Local Folders\Deleted Items\IMPORTANT NOTIFICATION\[account-details.zip][account-details.txt .exe]
Virus:W32/Mytob.FT.worm Disinfected Local Folders\Deleted Items\Your password has been successfully updated\[accepted-password.zip][accepted-password.doc .exe]
Virus:W32/Mytob.FT.worm Disinfected Local Folders\Deleted Items\Members Support\[readme.zip][readme.txt .scr]
Virus:W32/Mytob.FT.worm Disinfected Local Folders\Deleted Items\Important Notification\[important-details.zip][important-details.txt .exe]
Virus:W32/Mytob.FT.worm Disinfected Local Folders\Deleted Items\YOUR ACCOUNT IS SUSPENDED\[important-details.zip][important-details.htm .scr]
Virus:W32/Mytob.FT.worm Disinfected Local Folders\Deleted Items\Your password has been successfully updated\[accepted-password.zip][accepted-password.txt .scr]
Virus:W32/Mytob.FT.worm Disinfected Local Folders\Deleted Items\gkgtyzgjdt\[important-details.zip][important-details.htm .exe]

Ewido Scan:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:31:36 PM, 6/24/2005
+ Report-Checksum: 6ECC6792

+ Date of database: 6/24/2005
+ Version of scan engine: v3.0

+ Duration: 72 min
+ Scanned Files: 86074
+ Speed: 19.84 Files/Second
+ Infected files: 72
+ Removed files: 72
+ Files put in quarantine: 72
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\aclu\Cookies\aclu@ads.addynamix[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aclu\Cookies\aclu@ads.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aclu\Cookies\aclu@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aclu\Cookies\aclu@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aclu\Cookies\aclu@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aclu\Cookies\aclu@ehg-wachovia.hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aclu\Cookies\aclu@guide.real[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aclu\Cookies\aclu@index[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aclu\Cookies\aclu@linksynergy[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aclu\Cookies\aclu@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aclu\Cookies\aclu@radio.real[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aclu\Cookies\aclu@realguide.real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aclu\Cookies\aclu@real[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aclu\Cookies\aclu@statse.webtrendslive[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aclu\Cookies\aclu@valueclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\0161A6CF-2302-4710-97F8-87FB3C\0248C8E2-AE2B-4011-865A-B4B688 -> Trojan.Imiserv.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\0161A6CF-2302-4710-97F8-87FB3C\6920D0BE-8B34-460E-B599-F79975 -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\0161A6CF-2302-4710-97F8-87FB3C\7468F609-62B3-44F4-9BAC-77CC45 -> Spyware.ImiBar.d -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\0161A6CF-2302-4710-97F8-87FB3C\A40883CE-3AF5-4123-AF02-85C8BA -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\0161A6CF-2302-4710-97F8-87FB3C\B86B3553-3A6D-4593-A535-0F7E5C -> Trojan.Imiserv.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\0161A6CF-2302-4710-97F8-87FB3C\F414B189-5D4C-443F-AB97-120668 -> Spyware.ImiBar.d -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\0161A6CF-2302-4710-97F8-87FB3C\F9226CFC-DEDB-4778-97E5-A9A8E8 -> Trojan.Imiserv.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\292108C2-5F97-484E-8B03-0161E4\066718F6-90BA-45F5-98AD-29A6D2 -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\292108C2-5F97-484E-8B03-0161E4\725AD655-D32F-4886-9B9A-3AAAA8 -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\292108C2-5F97-484E-8B03-0161E4\8DA226C8-6484-41DE-B133-38C65B -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\5F3B344F-F6D7-4D86-BCC3-494708\536E9D07-CCDD-4991-93B2-AAFC53 -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\5F3B344F-F6D7-4D86-BCC3-494708\B51E7717-BB9F-4A3C-9A53-A366B7 -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\5F3B344F-F6D7-4D86-BCC3-494708\D169F30C-F572-462D-8581-346D31 -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\62FD084C-0B58-4901-A1B4-0DEA65\D178B376-3EE5-45B8-8CC5-C8B8D5 -> Trojan.Agent.cp -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\68C7EF07-3BF8-4DD3-B3AC-7DDE51\16A110D4-EB57-4E9D-A030-74D979 -> Trojan.Agent.cp -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\68C7EF07-3BF8-4DD3-B3AC-7DDE51\67A7B080-48FF-4AC3-97B3-ECA943 -> Trojan.Agent.cp -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\71E59E39-591C-4DF7-9A66-2858EF\204A14F7-0130-4972-ACC9-F2A4E6 -> Trojan.Stervis.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\71E59E39-591C-4DF7-9A66-2858EF\7682C2FD-400B-4992-B521-6929BC -> Trojan.Stervis.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\7DABA30C-5458-4EF4-941C-CA4EB0\75967333-3740-4F13-BE2D-6F0E57 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\83B9C755-2A99-4304-B05D-7CF1BF\18DDC710-0CB5-49F7-AB3E-633B39 -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\83B9C755-2A99-4304-B05D-7CF1BF\4DC1CB84-5765-435B-BD2C-596647 -> Trojan.Stervis.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\83B9C755-2A99-4304-B05D-7CF1BF\58FB5F7C-493C-4D69-A7BC-F5E6C4 -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\83B9C755-2A99-4304-B05D-7CF1BF\63F3118E-B136-404A-BE33-6E89CA -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\83B9C755-2A99-4304-B05D-7CF1BF\8927EC99-1B0A-4829-B686-F64365 -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\83B9C755-2A99-4304-B05D-7CF1BF\97A8647E-0411-4EF3-9FD7-E27F92 -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\83B9C755-2A99-4304-B05D-7CF1BF\A365283A-6C57-4D84-8207-8CE06D -> Trojan.Stervis.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\83B9C755-2A99-4304-B05D-7CF1BF\B6F36D27-7ABD-4617-8151-DBD968 -> Trojan.Stervis.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\83B9C755-2A99-4304-B05D-7CF1BF\CB81E872-6F0E-40EB-9E32-3595B4 -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\83B9C755-2A99-4304-B05D-7CF1BF\D7E8917B-F36A-4C80-97D7-1E9B3F -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\91FBD820-1750-49BB-BC8F-9FBDE0\170BCB41-A086-457D-ACF9-59AEB9 -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\91FBD820-1750-49BB-BC8F-9FBDE0\86A5E407-D7E1-4988-8402-1F5E59 -> Trojan.Stervis.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\91FBD820-1750-49BB-BC8F-9FBDE0\BFCF7597-9AEE-40C3-BDC7-F2D953 -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\91FBD820-1750-49BB-BC8F-9FBDE0\DB0356C7-BD55-4DDC-8332-F62959 -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\91FBD820-1750-49BB-BC8F-9FBDE0\DE4343A9-A396-46BF-AC61-64A4A4 -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\92E6E6E7-C3FB-4BD1-9D5A-A65F43\EE458A0E-8B3D-43C9-BC25-322656 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\9DCC1E60-8B67-4538-B847-5BA94C\75B3CF3E-1797-4026-AC8A-C4F322 -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\9DCC1E60-8B67-4538-B847-5BA94C\B352FD13-866A-4B25-BA84-E14D2F -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\9DCC1E60-8B67-4538-B847-5BA94C\F1299FD5-DE2E-4201-9DF9-3A0BD7 -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\B7E0AA2A-2FB2-4714-861D-A70C62\18E2CAC7-7076-4081-910B-C88B70 -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\B7E0AA2A-2FB2-4714-861D-A70C62\23298249-385C-43E9-89AB-912AA1 -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\B7E0AA2A-2FB2-4714-861D-A70C62\F3ED896B-C6AD-4DB4-AB08-A60A7B -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\BBF605EA-B8F6-4F2E-88A8-12B37B\C2D76629-6C08-4D72-82A1-41F2A2 -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\CFCC292B-26CF-48F0-97D2-DF3D24\0069B48D-1934-416F-995C-BFF5C6 -> Trojan.Imiserv.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\CFCC292B-26CF-48F0-97D2-DF3D24\22C7ECFA-EB90-4F97-97ED-BD4CF9 -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\E422E2C0-D12B-4609-AABF-D0375E\22057509-12AE-4362-8DA3-06E0C0 -> Trojan.Agent.cp -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB4F76A7-7C2A-4F4E-BA71-4B3D7A\1404287A-5A3E-44CB-91E4-38DF25 -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\F338C34A-F71C-45AB-89A9-91770F\31DBEA6C-CEDE-419F-AD49-FC5329 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FCBC60A5-4427-47DA-94B1-89BF54\B58DD6BB-9DAE-4467-8125-86386F -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FCDC0135-03DB-438E-A8A2-B97A02\BB743B14-94DE-4A4D-801D-205BE4 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FE8328CB-2F9D-4E2C-A147-34B22E\09F5BEE5-2110-4A08-824E-26ECC8 -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FE8328CB-2F9D-4E2C-A147-34B22E\3122CD9F-A97C-4861-82B1-482314 -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FE8328CB-2F9D-4E2C-A147-34B22E\8F064299-8307-43A5-80CB-04D44E -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP1050\A0051841.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP1051\A0051863.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP1054\A0051913.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP1060\A0052177.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP1060\A0052183.exe -> Trojan.Nail -> Cleaned with backup


::Report End

HiJackThis Scan:

Logfile of HijackThis v1.99.1
Scan saved at 1:32:46 PM, on 6/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\office2000\Office\OSA9.EXE
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst0_x.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create and Print ActiveX Plug-in) - http://www.imgag.com...stall/AxCtp.cab
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.rich...st/twophase.cab
O16 - DPF: {8B6193F1-837F-11D4-89E6-0050DA666184} (Sol2axctl Class) - http://download.soli...d/solitaire.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINDOWS\system32\PGPsdkServ.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Again, thank you!! I hope this worked.

grrlpwr
  • 0

#4
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi

Can you please clean out the Quarantine sections in your antivirus protectors and spyware programs.

we are going to try this one more time this way.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Go to Start->Run and type in services.msc and hit OK. Then look for System Startup Service (SvcProc) and double click on it. Click on the Stop button and under Startup type, choose Disabled. (if present)

5. Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)

C:\WINDOWS\Nail.exe

6. Once in Safe Mode, please double-click on
Nailfix.cmd Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

7. Then please run Ewido, and run a full scan. Post the log from the scan here for me.

8. Close all browsers, windows and unneeded programs.

9. Open HiJack and do a scan.

10. Put a Check next to the following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab


11. click the Fix Checked box

12. Please remove the following folders using Windows Explorer (if present):

C:\Program Files\MyWebSearch
C:\Program Files\Ebates_MoeMoneyMaker


13. Please remove just the files from the following paths using Windows Explorer (if present):

C:\GatorPatch.log
C:\WINDOWS\Nail.exe


14. Run the program CleanUp!


Let me know how it goes and also how your computer is running. Post a fresh hijackthis log please ;)

:tazz:

Excal
  • 0

#5
grrlpwr

grrlpwr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Hi Excal,

I followed all your directions again and hopefully I did them correctly this time. As a few notes:
On step 4, I did not find "System Startup Service (SvcProc). The closest I could find was "System Restore Service" and I disabled that. (do I need to go back in and enable this feature now that I am done?)

During my HijackThis scan, I found none of the items you listed. Nail.exe was not found on the computer either.

My final question to you (that is, if this worked)- what software do you recommend to use to block/delete spyware? We have used the trial of CounterSpy, which seemed to find a lot more spyware than AdAware and Spybot combined. We have 7 computers in our office, but the one we are working on is the only one with a severe spyware problem. We have also started using FireFox as the browser and this has seemed to make a marked difference in the number of popups.

Below is my HijackThis log, as well as the Ewido log:

HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 11:24:49 AM, on 6/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\office2000\Office\OSA9.EXE
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst0_x.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create and Print ActiveX Plug-in) - http://www.imgag.com...stall/AxCtp.cab
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.rich...st/twophase.cab
O16 - DPF: {8B6193F1-837F-11D4-89E6-0050DA666184} (Sol2axctl Class) - http://download.soli...d/solitaire.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINDOWS\system32\PGPsdkServ.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Ewido log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:23:58 AM, 6/27/2005
+ Report-Checksum: A6A26EF7

+ Date of database: 6/24/2005
+ Version of scan engine: v3.0

+ Duration: 63 min
+ Scanned Files: 81622
+ Speed: 21.36 Files/Second
+ Infected files: 4
+ Removed files: 4
+ Files put in quarantine: 4
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\aclu\Cookies\aclu@ads.addynamix[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aclu\Cookies\aclu@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aclu\Cookies\aclu@perf.overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aclu\Cookies\aclu@real[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End


Thank you SOOOOO much for your help. I really appreciate your patience.

grrlpwr
  • 0

#6
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Looks good!

YES please go back and reenable "System Restore Service"!

Go to Start->Run and type in services.msc and hit OK. Then look for System Restore Service and double click on it. Click on the start button and under Startup type, choose Automatic. (if present)


Great job, it appears your computer is clean :tazz:

Ensure you rehide your “hidden files and folders” back to the way they were.

Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.

Might I suggest the following Free Spyware programs for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE

Spybot S&D


If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast


The following free programs are great for prevention:

SpywareBlaster 3.4

Spywareguard

IE/Spyad


A Firewall is a must! Here are 3 good free versions:

Sygate

Kerio

ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox

Opera

This site is a great source for tightening up security on Internet Explorer settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.
  • 0

#7
grrlpwr

grrlpwr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Thank you again for all your help! Glad to know that we are finally spyware free! Phew!

grrlpwr
  • 0

#8
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
your welcome :tazz:
  • 0

#9
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP