Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HELP ME.....ABI network, aurora, DrPMon.dll and tr [CLOSED]

Started by james_8970 , Jun 28 2005 09:53 AM

  • This topic is locked This topic is locked

#1
james_8970
Posted 28 June 2005 - 09:53 AM

james_8970

    Trusted Tech

  • Retired Staff
  • 5,084 posts
lately i have been recieving litterly about 2 trojans a day :tazz: i have been finding them under safe mode and from the help of microsoft anti-spyware also i have been getting alot of pop-ups from aurora and seem to have something called ABI network (uses Aurora to advertise) it is getting very annoying and i can see computer performence droping. I'm also have that nail.exe however i have installed the nailfix but i don't know if it worked or not. Can you please HHHHHHHHEEEEEEELLLLLLLLLPPPPPPPP!
Thanx

here is my hijack code thing

Logfile of HijackThis v1.99.1
Scan saved at 10:52:58 AM, on 28/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\obxtvov.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\IDETOOL\IDETOOL.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\James\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cjs.portal.rielsd.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [skuivk] c:\windows\system32\pyzukpc.exe r
O4 - HKLM\..\Run: [rwbyoh] c:\windows\system32\tbbfsp.exe
O4 - HKLM\..\Run: [ostdeb] c:\windows\system32\alwfec.exe r
O4 - HKLM\..\Run: [mtbyocr] c:\windows\system32\gywynwf.exe r
O4 - HKLM\..\Run: [lhijme] c:\windows\system32\tmaqpdy.exe
O4 - HKLM\..\Run: [efxnac] c:\windows\system32\bgmfedt.exe r
O4 - HKLM\..\Run: [bczhyue] c:\windows\system32\keqdpla.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [imzsxo] c:\windows\system32\obxtvov.exe r
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - Global Startup: IDETool.lnk = C:\Program Files\IDETOOL\IDETOOL.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094518761810
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: %NVSVC.name% (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements

#2
Guest_usetobe_*
Posted 02 July 2005 - 03:05 AM

Guest_usetobe_*
  • Guest
Welcome to Geeks 2 Go. Sorry about the delay in getting to your post, we have been very busy.

Do you still require help or are your problems resolved.

Please let me know and if you still require assistance, please post a fresh HJT log.

Regards,

Usetobe
  • 0

#3
james_8970
Posted 03 July 2005 - 05:41 PM

james_8970

    Trusted Tech

  • Topic Starter
  • Retired Staff
  • 5,084 posts
yes i still do need help!!!! please can you help me when you find some time!!!!Quickly

here is my latest log from hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 6:38:10 PM, on 03/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IDETOOL\IDETOOL.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\windows\system32\fiegedn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\James\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cjs.portal.rielsd.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [zljnxs] c:\windows\system32\fiegedn.exe r
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: IDETool.lnk = C:\Program Files\IDETOOL\IDETOOL.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094518761810
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0C4843E-C135-45C1-BA8E-B6B4ECAC17A6}: NameServer = 142.161.2.155 142.161.130.155
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: %NVSVC.name% (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

i need help to resolve these problems with my computer i'm getting 2 trojans everytime i reboot my computer and i don't know how they continue top find my computer to place more on my computer even after i have removed them but they get new ones with new names and all. One other question i have installed microsoft anti-spyware beta when it places stuff in quarintine what do i do with it, should i click the boxes and then click the button that says to remove them permentaly from my computer? if you can help me with this issue PLEASE help me because i'm starting to even have problems to access the internet!
thanx
  • 0

#4
Guest_usetobe_*
Posted 04 July 2005 - 12:32 AM

Guest_usetobe_*
  • Guest
You still have a nasty nail infection, and i don't mean on your fingers and toes :tazz:

We are going to hit this with a big hammer.

Firstly please create a new folder on your C drive (for example C\HJT). Install HJT into that folder and run it from there. That way it can create backups if required.

Please empty your Microsoft Antispyware quarantine folder deleting the files from your computer. Then uninstall Microsoft Antispyware, as it may interfere with what we need to do. You can reinstall it once we have finished, however bear in mind it is still only in Beta testing stage.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://dknoppix.com/...oad.cgi?Nailfix
Unzip it to the desktop but please do NOT run it yet.

Please download Cleanup from here:
Cleanup. Do not run it yet.

Set up PC to show hidden files.(Click link if you do not know how)
Show hidden files

Download Process Explorer from http://www.sysintern...ssExplorer.html

Run Process Explorer and find this Process in the list of Processes.

fiegedn.exe

Select the process and click Process > Suspend.

Then in HijackThis click Config > Misc Tools > Delete a file on reboot...
In the explorer Window select the file c:\windows\system32\fiegedn.exe

When prompted if you want to reboot click YES
Leave Process explorer running with the process suspended.

1) Whilst your pc is restarting
2) After hearing your computer beep once during startup, but before the Windows icon appears, Tap the F8 key several times.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

Once in Safe Mode, please double-click on Nailfix.bat. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. This may take some time, so go grab a coffee. Once it finds the first issue tick the box for all. Post the log from the scan here for me.

Then please run HijackThis, click Scan, and check:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cjs.portal.rielsd.org/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O3 - Toolbar: (no name) - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - (no file)
O4 - HKLM\..\Run: [zljnxs] c:\windows\system32\fiegedn.exe r


Close all open windows except for HijackThis and click Fix Checked.

Now using windows explorer locate and delete the following files/folders if found.

C:\WINDOWS\Nail.exe


Now run Cleanup

Restart your computer in normal mode

Run this online virus scan: ActiveScan - Save the results from the scan!

please post a new HijackThis log, as well as the log from the Ewido scan and panda.
  • 0

#5
james_8970
Posted 05 July 2005 - 10:17 PM

james_8970

    Trusted Tech

  • Topic Starter
  • Retired Staff
  • 5,084 posts
ok here it is.....i know that a file on my computer is with aurora but my computer continues to fail to uninstall it, it's called oabntj.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cjs.portal.rielsd.org/ i know that this is safe and that i shouldn't delete it, its my home page (i made it my home page), its for my school, so i think i should keep that.

i was unable to find O4 - HKLM\..\Run: [zljnxs] c:\windows\system32\fiegedn.exe r however i found something very similare to it should i delete it?

here is my panada scan
Incident Status Location

Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\ap9h4qmo.ini
Adware:Adware/Transponder No disinfected C:\DOCUME~1\James\LOCALS~1\Temp\DrTemp
Adware:Adware/Aurora No disinfected C:\Documents and Settings\James\Local Settings\Temp\6.tmp\thnall1ac.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\svcproc.exe
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\ap9h4qmo.ini
Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\oabntj.zip[oabntj.exe]
Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\__delete_on_reboot__DrPMon.dll
Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\__delete_on_reboot__fdwikyt.exe

Here is my Ewido scan

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:26:28 PM, 05/07/2005
+ Report-Checksum: 8FF516E7

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{8DA5457F-A8AA-4CCF-A842-70E6FD274094} -> Spyware.HuntBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{17973BD7-959C-4D8A-8B2F-AB200E20A75E} -> Spyware.Begin2Search : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6FE4AADF-EDAC-4037-9164-0B60179A4F12} -> Spyware.Begin2Search : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{A797A41D-F9F0-4A32-B9B5-AF927CB5AE54} -> Spyware.Begin2Search : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B12508AD-CA55-4238-8DB3-55808BA6915A} -> Spyware.Begin2Search : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BF7CB2C3-55B6-44C1-9615-920D004C27F7} -> Spyware.Begin2Search : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F912C325-5B26-4AD6-BF39-84370833E972} -> Spyware.Begin2Search : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{081DE2F6-927B-4AA9-88C1-F531C9387383} -> Spyware.Begin2Search : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-527237240-1580818891-1343024091-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000EF1-0786-4633-87C6-1AA7A44296DA} -> Spyware.FavoriteMan : Cleaned with backup
HKU\S-1-5-21-527237240-1580818891-1343024091-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07E9CDF4-20D2-46B1-B681-663968F527CE} -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-527237240-1580818891-1343024091-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKU\S-1-5-21-527237240-1580818891-1343024091-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{302A3240-4805-4A34-97D7-1645A0B08410} -> Spyware.VX2 : Cleaned with backup
HKU\S-1-5-21-527237240-1580818891-1343024091-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{339BB23F-A864-48C0-A59F-29EA915965EC} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-527237240-1580818891-1343024091-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKU\S-1-5-21-527237240-1580818891-1343024091-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D568F0F-8AC9-40AB-88B7-415134C78777} -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-527237240-1580818891-1343024091-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{52FE5233-367C-4EFB-BDD7-0BE4D212C107} -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-527237240-1580818891-1343024091-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Cleaned with backup
HKU\S-1-5-21-527237240-1580818891-1343024091-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{841A9192-5690-11D4-A258-0040954A01BE} -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-21-527237240-1580818891-1343024091-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87067F04-DE4C-4688-BC3C-4FCF39D609E7} -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-527237240-1580818891-1343024091-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87766247-311C-43B4-8499-3D5FEC94A183} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-527237240-1580818891-1343024091-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8952A998-1E7E-4716-B23D-3DBE03910972} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-527237240-1580818891-1343024091-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DA5457F-A8AA-4CCF-A842-70E6FD274094} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-527237240-1580818891-1343024091-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF} -> Spyware.WinFavorites : Cleaned with backup
HKU\S-1-5-21-527237240-1580818891-1343024091-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E0CE16CB-741C-4B24-8D04-A817856E07F4} -> Spyware.Roimoi : Cleaned with backup
HKU\S-1-5-21-527237240-1580818891-1343024091-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EFB22865-F3BC-4309-ADFA-C8E078A7F762} -> Dialer.Generic : Cleaned with backup
[732] VM_00F80000 -> Adware.BetterInternet : Error during cleaning
:mozilla.13:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Ad-logics : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Ad-logics : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.193:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Dbbsrv : Cleaned with backup
:mozilla.214:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.222:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.223:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.224:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.230:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Findwhat : Cleaned with backup
:mozilla.295:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.296:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.297:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.298:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.299:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.380:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.381:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.387:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Paycounter : Cleaned with backup
:mozilla.391:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.400:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.438:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.439:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.440:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.441:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.490:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.491:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.492:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.503:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Realtracker : Cleaned with backup
:mozilla.504:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
:mozilla.505:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
:mozilla.676:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.677:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.678:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.679:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.680:C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\mjhinau3.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@ad-logics[2].txt -> Spyware.Cookie.Ad-logics : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\[email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\[email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@clickagents[2].txt -> Spyware.Cookie.Clickagents : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@dbbsrv[2].txt -> Spyware.Cookie.Dbbsrv : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@euniverseads[2].txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@internetfuel[1].txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\[email protected][2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@paycounter[1].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\[email protected][2].txt -> Spyware.Cookie.Realtracker : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\daniel@weborama[1].txt -> Spyware.Cookie.Weborama : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\[email protected][1].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\Documents and Settings\Daniel\Cookies\[email protected][2].txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.14:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\6qkqyyws.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.15:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\6qkqyyws.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.77:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\6qkqyyws.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.78:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\6qkqyyws.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.84:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\6qkqyyws.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.85:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\6qkqyyws.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.86:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\6qkqyyws.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.87:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\6qkqyyws.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.94:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\6qkqyyws.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.95:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\6qkqyyws.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.96:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\6qkqyyws.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.97:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\6qkqyyws.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.115:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\6qkqyyws.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.140:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\6qkqyyws.default\cookies.txt -> Spyware.Cookie.Dbbsrv : Cleaned with backup
C:\Documents and Settings\James\Cookies\james@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\James\Cookies\[email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\James\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\James\Cookies\james@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\James\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\James\Cookies\[email protected][1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\James\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\James\Cookies\james@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\James\Cookies\james@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\James\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\James\Cookies\[email protected][2].txt -> Spyware.Cookie.Valuead : Cleaned with backup
C:\Documents and Settings\James\Cookies\james@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\James\Cookies\james@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\James\Cookies\james@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\James\Cookies\james@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\James\Cookies\james@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\James\Local Settings\Temp\APP\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\James\Local Settings\Temp\GGX\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\James\Local Settings\Temp\GXD\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\James\Local Settings\Temp\KCX\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\James\Local Settings\Temp\OYQ\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Kevin.HOGWARTS\Cookies\kevin@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Kevin.HOGWARTS\Cookies\kevin@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Kevin.HOGWARTS\Cookies\kevin@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Kevin.HOGWARTS\Local Settings\Temp\UYD\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Kevin.HOGWARTS\Local Settings\Temp\XOW\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\000D9D11-EE5F-4655-BAD9-A58AE5\2FB80527-1B7B-417F-B3CB-815BFE -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\00B83D15-6E5D-450E-9752-3B82D4\A528D59A-FB8F-4FB0-B34E-059770 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\0399646F-F365-4DBD-AD34-57F437\516AAE7A-CBA6-43B7-9308-5D5212 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\100E5E4F-E9F9-4F81-95DC-780A18\9E028DA4-0EA1-41AF-B6BB-FD885F -> Trojan.Agent.cp : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\10AE644E-7F21-412C-B433-52FAF5\734F30F4-50F4-444A-8B22-F8BC50 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\2F83E7C3-82CA-40C0-BE4F-4B1576\FECADAED-2E80-4CF6-B198-F06A2E -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\3F6A8D37-8D2D-4A54-AA5A-1898A7\96816ADD-3BCC-4FAF-AC03-BD9081 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4AB73CA5-77B6-4651-99FE-041DFC\84867E85-927D-4CE2-A754-68E831 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4EE44DAD-0A99-44EC-972D-ABA815\41A8F0A8-EE98-4810-9EC0-924C98 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\776DDCD5-A4F4-4DAA-BB06-16CE58\10BE371F-C081-4211-8A08-B2C5E5 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7B5803F2-FD27-4AC6-AB51-573BA8\3671FD15-FBBA-4AA2-9ED1-B5EBD8 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\8AD0F517-55D1-487B-B868-F1631A\78DE6D82-9010-4EAD-9D85-81A127 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\8AD35A82-A548-4B26-9089-7D6FEE\0E9315DD-E913-4629-BB8B-51E640 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A04BAF47-384F-46E1-ABB5-E63AA8\AB055828-F109-4E52-82B9-FB5B76 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\AEBD5465-997D-4A4B-8829-06FD9F\1E55CAE7-F25B-4BFF-972A-6A19CD -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\AF2CCD64-2AC4-4104-B8C2-268B6A\F8F0CA7F-C03B-4DC8-9FDD-0E43A0 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\AFC61838-FDCA-4392-95D7-D9036A\B259D2E7-DE43-465F-BDC7-DF3F85 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\B39718DE-4E51-41B5-A3EB-82F3EE\808C436B-C660-46EA-8B6C-A9DDB1 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\B5AD59DE-DC4C-4EDA-9EA3-0F6519\C3449394-1BCD-449C-931F-ACDB0C -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\B7857A67-11F7-4165-8D66-A1A701\A6BC102A-CD12-44A5-8F25-CF4C9E -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C36900A9-A45D-4D1A-AF60-7255B9\3A93361A-4343-4E39-86E7-8DA189 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C6693D7C-D6D1-47DC-8012-0FBEC6\714103E6-4A93-40CB-BFD5-F03E67 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\D06449DA-D69D-4EE4-9377-5919B9\264185B5-D0CB-479B-92A0-322BFB -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E80BD63A-35C0-4504-B609-345C3F\3302517D-C2F7-4BE5-8AB6-DBC40E -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\EB74E8FF-3860-4EB4-937A-054DE5\C40BE2D2-7FD0-4933-B5D5-377767 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\EEB23819-13F1-4A26-B1FC-0E6FCF\DD5BA86A-8781-4F6A-B46C-AF4690 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\F6EFFE9E-5CF4-4A8B-A600-8DBD85\E4C418F1-4B07-44D7-A848-A1D0A4 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\FD8B32C2-ED15-43D2-9EC0-4C8BA3\837304C9-A4CA-4A6D-A1A9-7071B0 -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\S-1-5-21-602162358-261478967-725345543-1003\De129\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\qdmgtbhyac.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\samttj.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\fvdxhei.exe -> Trojan.Agent.cp : Cleaned with backup
C:\WINDOWS\system32\mkqlaj.exe -> Trojan.Agent.cp : Cleaned with backup
C:\WINDOWS\system32\oabntj.zip/oabntj.exe -> Adware.BetterInternet : Error during cleaning
C:\WINDOWS\system32\ohbaofa.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\osfilhj.exe -> Trojan.Agent.cp : Cleaned with backup
C:\WINDOWS\system32\ululsob.exe -> Trojan.Agent.cp : Cleaned with backup
C:\WINDOWS\system32\vygzpqf.exe -> Trojan.Agent.cp : Cleaned with backup
C:\WINDOWS\system32\xhkjlb.exe -> Trojan.Agent.cp : Cleaned with backup
C:\WINDOWS\system32\ximksb.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\0HGJOHWN\Nail[1].exe -> Adware.BetterInternet : Cleaned with backup


::Report End

And for the last one my most recent hijack scan
Logfile of HijackThis v1.99.1
Scan saved at 11:17:22 PM, on 05/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IDETOOL\IDETOOL.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\fdwikyt.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\James\My Documents\iteams for desktop\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cjs.portal.rielsd.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [fduvuw] c:\windows\system32\fdwikyt.exe r
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: IDETool.lnk = C:\Program Files\IDETOOL\IDETOOL.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094518761810
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0C4843E-C135-45C1-BA8E-B6B4ECAC17A6}: NameServer = 142.161.2.155 142.161.130.155
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: %NVSVC.name% (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanx alot for the help so far
  • 0

#6
Justin
Posted 06 July 2005 - 02:21 AM

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello, my name is Jfcap. Usetobe has had a medical emergency and he has asked me to take care of some of his active logs.

Lets address some of your questions before we fix the rest of your problem

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cjs.portal.rielsd.org/ i know that this is safe and that i shouldn't delete it, its my home page (i made it my home page), its for my school, so i think i should keep that.

Go ahead and keep it. Usetobe selected it only because we dont recognize the site. If you know the site, feel free to keep it.


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O3 - Toolbar: (no name) - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - (no file)
O4 - HKLM\..\Run: [fduvuw] c:\windows\system32\fdwikyt.exe r

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please delete these files using Windows Explorer(if present):

c:\windows\system32\fdwikyt.exe

Then post a new HiJackThis log for me to look at. Also, could you please tell me the file path for this file in your computer: oabntj.exe
  • 0

#7
james_8970
Posted 06 July 2005 - 04:18 PM

james_8970

    Trusted Tech

  • Topic Starter
  • Retired Staff
  • 5,084 posts
that sucks well tell him to get well soon
thanx for helping me to
anyways i think i removed oabntj.exe as i moved it earlier to a zip file to try and make it easier to remove and now i could so that problem is gone and one question is fdwikyt.exe-20314DE2.pf the same as fdwikyt.exe because i found fdwikyt.exe-20314DE2.pf and not fdwikyt.exe so should i remove it
and here is my latest HJT log

Logfile of HijackThis v1.99.1
Scan saved at 5:17:26 PM, on 06/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IDETOOL\IDETOOL.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\James\My Documents\iteams for desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cjs.portal.rielsd.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: IDETool.lnk = C:\Program Files\IDETOOL\IDETOOL.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094518761810
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0C4843E-C135-45C1-BA8E-B6B4ECAC17A6}: NameServer = 142.161.2.155 142.161.130.155
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: %NVSVC.name% (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

once again thatnx alot for the help
and tell usetobe to get well soon
  • 0

#8
Justin
Posted 07 July 2005 - 09:53 PM

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello!

Your HiJackThis log is looks great. Are you still noticing any popups or other problems?

Do answer your question above, that file is your prefetch folder, so we will clear it out.

To clean out the folder, click Start, Run, type in "prefetch" and press enter. When the folder displays, press Ctrl + A to select all files, and then press the delete key. Do be assured that deleting these files will in no way harm the computer.
  • 0

#9
james_8970
Posted 10 July 2005 - 09:00 PM

james_8970

    Trusted Tech

  • Topic Starter
  • Retired Staff
  • 5,084 posts
i did a scan today and it found some more aurora stuff must be missing something, i found about 6 different things under my startup that shouldn't be there so i'm going to remove them. Then tomorrow i will give you another HJT log to c if there is anything there. One other question when ewido places something under quarintine should i remove it or what.....what is the point of it?
  • 0

#10
Justin
Posted 13 July 2005 - 11:35 AM

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hi James,

Im out of town on vaccation, and I tried to find someone to take over for me, but I guess no one did. Sorry for the delay. I will send a PM to someone and have them help you.

Again, I apologize for the delay.
  • 0

#11
Kat
Posted 13 July 2005 - 06:54 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hi James. I'm sorry no one got around to taking over for Justin. Yes, please DO remove everything that Ewido placed in quarantine. Next time you run a scan with Ewido, choose to CLEAN the findings, instead of quarantining them.

Let me see another HJT log, and I'll check to see what's still there we can clean up!
  • 0

#12
james_8970
Posted 13 July 2005 - 08:34 PM

james_8970

    Trusted Tech

  • Topic Starter
  • Retired Staff
  • 5,084 posts
ok but what should i do witht eh quarantined files then. because ewido is only a demo and will uninstall soon and when it does so won't thoughs files be reactivated? i have found some new stuff on my computer contain aurora i'm going to remove it under save mode and try to remove a bunch of other stuff i have under my setup that shouldn't be there if i have any trobles.....again i will send a new HJT log.
Thanx
  • 0

#13
Kat
Posted 13 July 2005 - 09:16 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hello again. If you remove them from quarantine, it deletes them. When the Ewido trial expires, you CAN still use it. ALL you lose when it expires is the "automatic update" function. You can still use Ewido, and just update it manually! :tazz:

Why don't you give me an HJT log, and a copy of any log you have from Ewido or others showing the Aurora problems still existing, and I'll help you get it all cleaned out!
  • 0

#14
Kat
Posted 15 July 2005 - 06:04 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP